Data Sanitization Checklist for Node.js APIs
A practical checklist for sanitizing input in a Node.js API.
Data Sanitization Checklist for Node.js APIs
A practical checklist for sanitizing input in a Node.js API. Tick each one before launch.
1. Strip $ and . From Input
Use express-mongo-sanitize. Prevents NoSQL injection.
2. Strip HTML From Input
Use xss-clean or dompurify. Prevents XSS. Be careful with fields that legitimately contain HTML (rich text).
3. Trim Whitespace
Trim leading and trailing whitespace from string fields. Use Zod's .trim().
4. Normalize Emails
Lowercase and trim emails. Use Zod's .toLowerCase().trim().
5. Validate Types
Enforce types with Zod. Strings are strings, numbers are numbers, ObjectIds are 24-char hex strings.
6. Validate Constraints
required, min, max, minlength, maxlength, enum, match. Reject anything that does not fit.
7. Use runValidators on Updates
Pass { runValidators: true, new: true } on every findByIdAndUpdate and updateOne.
8. Whitelist Filter Fields
Do not let users set arbitrary filter fields. Whitelist the fields they can filter by. Prevents query injection.
9. Cap Request Body Size
Set express.json({ limit: '10kb' }). Prevents oversized payload attacks.
10. Remove Duplicate Query Params
Use hpp. Prevents HTTP Parameter Pollution.
11. Cast Inputs Explicitly
When building queries from user input, cast: String(req.body.email). Defense in depth.
12. Avoid $where
Do not use $where. It runs JavaScript in the database and is a common injection vector.
13. Set Security Headers
Use helmet. Sets X-Frame-Options, Strict-Transport-Security, CSP, and more.
14. Use httpOnly Cookies
Store JWT in httpOnly, secure, sameSite cookies. Scripts cannot read them.
15. Rate Limit Auth Routes
Use express-rate-limit. 5 attempts per 15 minutes on login and signup. Prevents brute force.
16. Validate on the Server
Never trust client-side validation. Validate on the server, no matter what the client does.
The Takeaway
Sanitize your Node.js API: strip $ and . with express-mongo-sanitize, strip HTML with xss-clean, trim and normalize with Zod, validate types and constraints, use runValidators on updates, whitelist filter fields, cap body size, remove duplicate query params with hpp, cast explicitly, avoid $where, set security headers with helmet, use httpOnly cookies, rate limit auth routes, and always validate on the server.
Strip $ and . with express-mongo-sanitize, strip HTML with xss-clean, trim and normalize with Zod, validate types and constraints, use runValidators on updates, whitelist filter fields, cap body size, remove duplicate query params with hpp, cast explicitly, avoid $where, set security headers with helmet, use httpOnly cookies, and rate limit auth routes.
Use express-mongo-sanitize to strip $ and . from req.body, req.params, and req.query. Validate types with Zod (objects where strings are expected are rejected). Use Mongoose (casts based on schema). Cast inputs explicitly with String(). Avoid $where.
Strip HTML from input with xss-clean or dompurify. Escape output on render (React does this by default). Set a Content Security Policy with helmet. Use httpOnly cookies so scripts cannot steal tokens. Sanitize rich text on render.
express.json({ limit: '10kb' }) prevents oversized payload attacks. Without a limit, a malicious client can send huge bodies, eating memory and slowing the server. Set a sensible limit based on your largest expected request.
If users can set arbitrary filter fields, they can probe your data model. Whitelist the fields they can filter by (role, gender, status) and ignore the rest. Prevents query injection and limits the surface.
Ready to master Node.js completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master Node.js
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

