Express Middleware Order and Execution: How It Works
Middleware order is critical in Express. Here is how execution works and why order matters.
Express Middleware Order and Execution
Express runs middlewares in the order you add them. This sounds simple, but it is the cause of many bugs.
The Order
app.use(express.json()); // 1
app.use(cors()); // 2
app.use(helmet()); // 3
app.use(morgan('dev')); // 4
app.use('/users', usersRouter); // 5
app.use(errorHandler); // 6
Every request runs 1 through 4, then if the path matches /users, runs the matched route inside usersRouter, then if an error occurred, runs 6.
Why Order Matters
- Body parser must come before routes. Otherwise req.body is undefined in handlers.
- Helmet should come early. It sets security headers; you want them on every response.
- Logger before routes. You want to log every request, including 404s.
- Auth after body parser. Auth may read req.body for credentials.
- Error handler last. It catches errors from any middleware or route.
Path-Specific Middleware
app.use('/api', auth) applies auth only to paths starting with /api. Public routes (e.g., /login) live outside /api.
Per-Route Middleware
router.post('/posts', auth, validate(createPostSchema), createPost). The middlewares run in order: auth, then validate, then createPost. If auth sends a response, validate and createPost never run.
next() Passes Control
Calling next() moves to the next middleware in the chain. Without it, the request hangs. Calling next(err) jumps straight to the error handler.
What Happens on Error
If a middleware or handler calls next(err) or throws, Express skips everything between it and the error handler. So if auth fails, no other middleware runs; the error handler responds.
Common Order Bugs
- Body parser after routes: req.body undefined.
- Logger after routes: 404s are not logged.
- Auth after routes: protected routes are not protected.
- Error handler not last: errors after it are not caught.
The Takeaway
Express runs middlewares in the order you add them. Order: body parser, security headers (helmet), CORS, logger, then routes (with their per-router and per-route middlewares), then error handler last. Wrong order causes silent bugs.
Express runs middlewares in the order you add them. Wrong order causes silent bugs: body parser after routes means req.body is undefined; logger after routes means 404s are not logged; error handler not last means some errors are not caught.
Body parser, helmet, CORS, logger, then routes (with per-router and per-route middlewares), then error handler last. Body parser before routes so req.body is defined; helmet early for security headers; error handler last so all errors are caught.
Express skips everything between that middleware and the error handler. The error handler then runs and sends a response. This is how errors short-circuit the rest of the chain.
In the order you list them. router.post('/posts', auth, validate, createPost) runs auth, then validate, then createPost. If auth sends a response, validate and createPost never run.
Express runs middlewares in order. An error handler in the middle would miss errors from routes declared after it. The error handler must be the last middleware registered.
Ready to master Node.js completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master Node.js
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

