Facebook Pixel

Data Sanitization Checklist for Node.js APIs

A practical checklist for sanitizing input in a Node.js API.

Data Sanitization Checklist for Node.js APIs

A practical checklist for sanitizing input in a Node.js API. Tick each one before launch.

1. Strip $ and . From Input

Use express-mongo-sanitize. Prevents NoSQL injection.

2. Strip HTML From Input

Use xss-clean or dompurify. Prevents XSS. Be careful with fields that legitimately contain HTML (rich text).

3. Trim Whitespace

Trim leading and trailing whitespace from string fields. Use Zod's .trim().

4. Normalize Emails

Lowercase and trim emails. Use Zod's .toLowerCase().trim().

5. Validate Types

Enforce types with Zod. Strings are strings, numbers are numbers, ObjectIds are 24-char hex strings.

6. Validate Constraints

required, min, max, minlength, maxlength, enum, match. Reject anything that does not fit.

7. Use runValidators on Updates

Pass { runValidators: true, new: true } on every findByIdAndUpdate and updateOne.

8. Whitelist Filter Fields

Do not let users set arbitrary filter fields. Whitelist the fields they can filter by. Prevents query injection.

9. Cap Request Body Size

Set express.json({ limit: '10kb' }). Prevents oversized payload attacks.

10. Remove Duplicate Query Params

Use hpp. Prevents HTTP Parameter Pollution.

11. Cast Inputs Explicitly

When building queries from user input, cast: String(req.body.email). Defense in depth.

12. Avoid $where

Do not use $where. It runs JavaScript in the database and is a common injection vector.

13. Set Security Headers

Use helmet. Sets X-Frame-Options, Strict-Transport-Security, CSP, and more.

14. Use httpOnly Cookies

Store JWT in httpOnly, secure, sameSite cookies. Scripts cannot read them.

15. Rate Limit Auth Routes

Use express-rate-limit. 5 attempts per 15 minutes on login and signup. Prevents brute force.

16. Validate on the Server

Never trust client-side validation. Validate on the server, no matter what the client does.

The Takeaway

Sanitize your Node.js API: strip $ and . with express-mongo-sanitize, strip HTML with xss-clean, trim and normalize with Zod, validate types and constraints, use runValidators on updates, whitelist filter fields, cap body size, remove duplicate query params with hpp, cast explicitly, avoid $where, set security headers with helmet, use httpOnly cookies, rate limit auth routes, and always validate on the server.

Strip $ and . with express-mongo-sanitize, strip HTML with xss-clean, trim and normalize with Zod, validate types and constraints, use runValidators on updates, whitelist filter fields, cap body size, remove duplicate query params with hpp, cast explicitly, avoid $where, set security headers with helmet, use httpOnly cookies, and rate limit auth routes.

Use express-mongo-sanitize to strip $ and . from req.body, req.params, and req.query. Validate types with Zod (objects where strings are expected are rejected). Use Mongoose (casts based on schema). Cast inputs explicitly with String(). Avoid $where.

Strip HTML from input with xss-clean or dompurify. Escape output on render (React does this by default). Set a Content Security Policy with helmet. Use httpOnly cookies so scripts cannot steal tokens. Sanitize rich text on render.

express.json({ limit: '10kb' }) prevents oversized payload attacks. Without a limit, a malicious client can send huge bodies, eating memory and slowing the server. Set a sensible limit based on your largest expected request.

If users can set arbitrary filter fields, they can probe your data model. Whitelist the fields they can filter by (role, gender, status) and ignore the rest. Prevents query injection and limits the surface.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.