Facebook Pixel

Express Middlewares Every Server Needs

Some middlewares are non-negotiable for a production Express server. Here is the list.

Express Middlewares Every Server Needs

A production Express server needs more than just routes. These middlewares are non-negotiable.

1. express.json

Parses JSON request bodies. Without it, req.body is undefined. Add it before your routes.

2. express.urlencoded

Parses form-encoded bodies. Useful if you accept form submissions. Add express.urlencoded({ extended: true }).

3. cors

Browsers block cross-origin requests without CORS headers. Add cors with your allowed origin and credentials: true if you use cookies.

4. helmet

Adds security HTTP headers (X-Frame-Options, Strict-Transport-Security, Content-Security-Policy basics). Set it and forget it.

5. morgan or pino-http

Logs HTTP requests. Morgan is simple to start. pino-http is faster in production. Either way, log every request with method, path, status, and response time.

6. express-rate-limit

Limits requests per IP to prevent abuse. Add a global limiter (100 req per 15 min) and stricter limiters on auth routes (5 login attempts per 15 min).

7. cookie-parser

If you use cookies (e.g., JWT in httpOnly cookie), add cookie-parser so req.cookies is populated.

8. compression

Compresses responses with gzip. Saves bandwidth and improves response time. Add it after json and before routes.

9. Auth Middleware

Custom. Verifies the JWT, sets req.user. Apply per route or per group of routes that need auth.

10. Validation Middleware

Custom. Validates req.body, req.params, req.query with zod or express-validator. Sends 400 with errors if invalid.

11. Error-Handling Middleware

Custom. (err, req, res, next) => {}. Catches errors from any middleware or handler. Logs the full error, sends a safe message, sets the right status code. Register it last.

Order Matters

Add global middlewares (json, cors, helmet, compression) first. Then routers. Then the error handler. Express runs middlewares in the order you add them.

The Takeaway

Every production Express server needs: express.json, express.urlencoded, cors, helmet, morgan or pino-http, express-rate-limit, cookie-parser (if using cookies), compression, a custom auth middleware, a validation middleware, and an error-handling middleware. Order matters.

express.json, express.urlencoded, cors, helmet, a logger (morgan or pino-http), express-rate-limit, cookie-parser (if using cookies), compression, a custom auth middleware, a validation middleware, and an error-handling middleware.

It sets security HTTP headers (X-Frame-Options, Strict-Transport-Security, Content-Security-Policy basics) that protect against clickjacking, sniffing, and other common attacks. Set it and forget it.

Limits requests per IP to prevent abuse and brute-force attacks. Add a global limiter (e.g., 100 req per 15 min) and stricter limiters on auth routes (5 login attempts per 15 min). It is a small addition with big protection.

Yes. Express runs middlewares in the order you add them. Add global ones (json, cors, helmet, compression) first, then routers, then the error-handling middleware last. Wrong order causes bugs (e.g., body parser after routes means req.body is undefined).

It gzips responses. Saves bandwidth and improves response time, especially for large JSON payloads. Add it after json and before your routes.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.