Facebook Pixel

Popular Express Middlewares You Should Use

Some Express middlewares are non-negotiable for production. Here is the list with what each does.

Popular Express Middlewares You Should Use

Some Express middlewares are standard in production. Here is the list with what each does.

1. express.json

Parses JSON request bodies. Without it, req.body is undefined. Add it before your routes.

2. express.urlencoded

Parses form-encoded bodies. Add with { extended: true } if you accept form submissions.

3. cors

Allows cross-origin requests. Configure with your allowed origin and credentials: true if you use cookies.

4. helmet

Adds security HTTP headers: X-Frame-Options, Strict-Transport-Security, Content-Security-Policy basics. Set and forget.

5. morgan

HTTP request logger. Use 'dev' format in development and 'combined' in production. Or use pino-http for faster logging.

6. express-rate-limit

Limits requests per IP. Add a global limiter (e.g., 100 req per 15 min) and stricter limiters on auth routes (5 attempts per 15 min).

7. cookie-parser

Parses cookies into req.cookies. Required if you use cookies (e.g., JWT in httpOnly cookie).

8. compression

Gzips responses. Saves bandwidth and improves response time. Add after json and before routes.

9. express-mongo-sanitize

Strips $ and . from user input to prevent NoSQL injection. Add it after body parser.

10. xss-clean or dompurify

Strips HTML from user input to prevent XSS. Use carefully; some legit fields may contain HTML.

11. hpp

Protects against HTTP Parameter Pollution. Removes duplicate query params.

12. Custom Auth Middleware

Verifies JWT, sets req.user. Apply per route or per router. Keep public routes outside.

13. Custom Validation Middleware

Validates req.body, req.params, req.query with zod or express-validator. Sends 400 with errors. Use a factory for clean code.

14. Custom Error Handler

Four-parameter middleware. Catches errors from any middleware or handler. Logs and sends safe responses. Always last.

The Takeaway

Use these Express middlewares: express.json, express.urlencoded, cors, helmet, morgan (or pino-http), express-rate-limit, cookie-parser, compression, express-mongo-sanitize, xss-clean, hpp, and your own auth, validation, and error handler middlewares. Most are one-liners with big payoff.

express.json, express.urlencoded, cors, helmet, morgan or pino-http, express-rate-limit, cookie-parser, compression, express-mongo-sanitize, xss-clean, hpp, plus your own auth, validation, and error handler middlewares.

Adds security HTTP headers: X-Frame-Options (clickjacking), Strict-Transport-Security (force HTTPS), Content-Security-Policy basics, and more. Set and forget; it protects against several common attacks with no behavior change.

Limits requests per IP. Add a global limiter (100 req per 15 min) and stricter limiters on auth routes (5 attempts per 15 min). Prevents abuse and brute-force attacks.

Strips $ and . from user input to prevent NoSQL injection. Without it, a user can send { $gt: '' } as a query and bypass auth. Add it after body parser so all bodies are sanitized.

HTTP Parameter Pollution. It removes duplicate query params so an attacker cannot trick your parser by sending ?user=a&user=b. Small middleware with a clear protective role.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.