Popular Express Middlewares You Should Use
Some Express middlewares are non-negotiable for production. Here is the list with what each does.
Popular Express Middlewares You Should Use
Some Express middlewares are standard in production. Here is the list with what each does.
1. express.json
Parses JSON request bodies. Without it, req.body is undefined. Add it before your routes.
2. express.urlencoded
Parses form-encoded bodies. Add with { extended: true } if you accept form submissions.
3. cors
Allows cross-origin requests. Configure with your allowed origin and credentials: true if you use cookies.
4. helmet
Adds security HTTP headers: X-Frame-Options, Strict-Transport-Security, Content-Security-Policy basics. Set and forget.
5. morgan
HTTP request logger. Use 'dev' format in development and 'combined' in production. Or use pino-http for faster logging.
6. express-rate-limit
Limits requests per IP. Add a global limiter (e.g., 100 req per 15 min) and stricter limiters on auth routes (5 attempts per 15 min).
7. cookie-parser
Parses cookies into req.cookies. Required if you use cookies (e.g., JWT in httpOnly cookie).
8. compression
Gzips responses. Saves bandwidth and improves response time. Add after json and before routes.
9. express-mongo-sanitize
Strips $ and . from user input to prevent NoSQL injection. Add it after body parser.
10. xss-clean or dompurify
Strips HTML from user input to prevent XSS. Use carefully; some legit fields may contain HTML.
11. hpp
Protects against HTTP Parameter Pollution. Removes duplicate query params.
12. Custom Auth Middleware
Verifies JWT, sets req.user. Apply per route or per router. Keep public routes outside.
13. Custom Validation Middleware
Validates req.body, req.params, req.query with zod or express-validator. Sends 400 with errors. Use a factory for clean code.
14. Custom Error Handler
Four-parameter middleware. Catches errors from any middleware or handler. Logs and sends safe responses. Always last.
The Takeaway
Use these Express middlewares: express.json, express.urlencoded, cors, helmet, morgan (or pino-http), express-rate-limit, cookie-parser, compression, express-mongo-sanitize, xss-clean, hpp, and your own auth, validation, and error handler middlewares. Most are one-liners with big payoff.
express.json, express.urlencoded, cors, helmet, morgan or pino-http, express-rate-limit, cookie-parser, compression, express-mongo-sanitize, xss-clean, hpp, plus your own auth, validation, and error handler middlewares.
Adds security HTTP headers: X-Frame-Options (clickjacking), Strict-Transport-Security (force HTTPS), Content-Security-Policy basics, and more. Set and forget; it protects against several common attacks with no behavior change.
Limits requests per IP. Add a global limiter (100 req per 15 min) and stricter limiters on auth routes (5 attempts per 15 min). Prevents abuse and brute-force attacks.
Strips $ and . from user input to prevent NoSQL injection. Without it, a user can send { $gt: '' } as a query and bypass auth. Add it after body parser so all bodies are sanitized.
HTTP Parameter Pollution. It removes duplicate query params so an attacker cannot trick your parser by sending ?user=a&user=b. Small middleware with a clear protective role.
Ready to master Node.js completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master Node.js
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

