security Best Practices

Learn essential security best practices for Node.js applications. This is a foundational concept in server-side JavaScript development that professional developers rely on daily. The explanations below are written to be beginner-friendly while covering the depth and nuance that comes from real-world Node.js experience. Take your time with each section and practice the examples

50 min•By Priygop Team•Last updated: Feb 2026

security Best Practices

Use HTTPS in production — a critical concept in server-side JavaScript development that you will use frequently in real projects
Implement rate limiting — a critical concept in server-side JavaScript development that you will use frequently in real projects
Validate and sanitize all inputs — a critical concept in server-side JavaScript development that you will use frequently in real projects
Use environment variables for sensitive data — a critical concept in server-side JavaScript development that you will use frequently in real projects
Implement proper CORS policies — a critical concept in server-side JavaScript development that you will use frequently in real projects
Use security headers — a critical concept in server-side JavaScript development that you will use frequently in real projects
Regular security updates — a critical concept in server-side JavaScript development that you will use frequently in real projects
Input validation and sanitization — a critical concept in server-side JavaScript development that you will use frequently in real projects
SQL injection prevention — a critical concept in server-side JavaScript development that you will use frequently in real projects
XSS protection — a critical concept in server-side JavaScript development that you will use frequently in real projects

security Implementation

Example

// Install security dependencies
npm install helmet express-rate-limit cors

const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const cors = require('cors');

// security middleware
app.use(helmet());

// Rate limiting
const limiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100, // limit each IP to 100 requests per windowMs
    message: 'Too many requests from this IP'
});
app.use('/api/', limiter);

// CORS configuration
const corsOptions = {
    origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:3000'],
    credentials: true,
    optionsSuccessStatus: 200
};
app.use(cors(corsOptions));

// Input validation middleware
const validateInput = (req, res, next) => {
    const { name, email, password } = req.body;
    
    // Sanitize inputs
    req.body.name = name?.trim().replace(/[<>]/g, '');
    req.body.email = email?.toLowerCase().trim();
    
    // Validate email
    const emailRegex = /^[^s@]+@[^s@]+.[^s@]+$/;
    if (!emailRegex.test(req.body.email)) {
        return res.status(400).json({ error: 'Invalid email format' });
    }
    
    // Validate password strength
    if (password && password.length < 8) {
        return res.status(400).json({ error: 'Password must be at least 8 characters long' });
    }
    
    next();
};

// Apply validation to routes
app.post('/register', validateInput, async (req, res) => {
    // Registration logic
});

// Environment variables
require('dotenv').config();

const config = {
    port: process.env.PORT || 3000,
    mongoUri: process.env.MONGO_URI,
    jwtSecret: process.env.JWT_SECRET,
    nodeEnv: process.env.NODE_ENV || 'development'
};

// Error handling for security
app.use((err, req, res, next) => {
    console.error(err.stack);
    
    // Don't leak error details in production
    if (process.env.NODE_ENV === 'production') {
        res.status(500).json({ error: 'Something went wrong!' });
    } else {
        res.status(500).json({ error: err.message });
    }
});

Try It Yourself — Authentication & security

Try It Yourself — Authentication & securityHTML

HTML Editor

✓ ValidTab = 2 spaces

<!DOCTYPE html>
<html>
<head>
<style>
  body { font-family: Arial, sans-serif; padding: 20px; background: #f5f5f5; }
  .container { background: white; padding: 30px; border-radius: 12px; box-shadow: 0 2px 8px rgba(0,0,0,0.1); max-width: 600px; margin: auto; }
  h1 { color: #68a063; }
  button { background: #68a063; color: white; border: none; padding: 10px 20px; border-radius: 6px; font-weight: bold; cursor: pointer; font-size: 16px; margin: 5px; }
  button:hover { background: #5a8f57; }
  .output { background: #1e1e1e; color: #4ec9b0; padding: 15px; border-radius: 8px; margin-top: 15px; font-family: monospace; min-height: 40px; white-space: pre-wrap; }
  select, input { padding: 8px 12px; border: 2px solid #ddd; border-radius: 6px; font-size: 14px; margin: 5px; }
</style>
</head>
<body>
<div class="container">
  <h1>⚙️ Node.js Module 4 Playground</h1>
  <p>Simulate Node.js server concepts in the browser!</p>
  <select id="method"><option>GET</option><option>POST</option><option>PUT</option><option>DELETE</option></select>
  <input id="endpoint" placeholder="/api/users" value="/api/users" />
  <button onclick="simulateRequest()">Send Request</button>
  <button onclick="clearLog()">Clear</button>
  <div class="output" id="output">Server ready. Send a request...</div>
</div>
<script>
  let logs = [];
  function log(msg) { logs.push(msg); document.getElementById('output').textContent = logs.join('
'); }
  function clearLog() { logs = []; document.getElementById('output').textContent = 'Log cleared.'; }
  function simulateRequest() {
    const method = document.getElementById('method').value;
    const endpoint = document.getElementById('endpoint').value || '/';
    log('[' + new Date().toLocaleTimeString() + '] ' + method + ' ' + endpoint);
    log('Status: 200 OK');
    log('Response: { "success": true, "method": "' + method + '", "path": "' + endpoint + '" }');
    log('---');
  }
</script>
</body>
</html>

<!DOCTYPE html>
<html>
<head>
<style>
  body { font-family: Arial, sans-serif; padding: 20px; background: #f5f5f5; }
  .container { background: white; padding: 30px; border-radius: 12px; box-shadow: 0 2px 8px rgba(0,0,0,0.1); max-width: 600px; margin: auto; }
  h1 { color: #68a063; }
  button { background: #68a063; color: white; border: none; padding: 10px 20px; border-radius: 6px; font-weight: bold; cursor: pointer; font-size: 16px; margin: 5px; }
  button:hover { background: #5a8f57; }
  .output { background: #1e1e1e; color: #4ec9b0; padding: 15px; border-radius: 8px; margin-top: 15px; font-family: monospace; min-height: 40px; white-space: pre-wrap; }
  select, input { padding: 8px 12px; border: 2px solid #ddd; border-radius: 6px; font-size: 14px; margin: 5px; }
</style>
</head>
<body>
<div class="container">
  <h1>⚙️ Node.js Module 4 Playground</h1>
  <p>Simulate Node.js server concepts in the browser!</p>
  <select id="method"><option>GET</option><option>POST</option><option>PUT</option><option>DELETE</option></select>
  <input id="endpoint" placeholder="/api/users" value="/api/users" />
  <button onclick="simulateRequest()">Send Request</button>
  <button onclick="clearLog()">Clear</button>
  <div class="output" id="output">Server ready. Send a request...</div>
</div>
<script>
  let logs = [];
  function log(msg) { logs.push(msg); document.getElementById('output').textContent = logs.join('
'); }
  function clearLog() { logs = []; document.getElementById('output').textContent = 'Log cleared.'; }
  function simulateRequest() {
    const method = document.getElementById('method').value;
    const endpoint = document.getElementById('endpoint').value || '/';
    log('[' + new Date().toLocaleTimeString() + '] ' + method + ' ' + endpoint);
    log('Status: 200 OK');
    log('Response: { "success": true, "method": "' + method + '", "path": "' + endpoint + '" }');
    log('---');
  }
</script>
</body>
</html>

Result

Click ▶ Run to see the result

Edit the code on the left, then click Run

HTML|39 lines|1938 chars|✓ Valid syntax

UTF-8

Quick Quiz — Authentication & security

Next Module →

security Best Practices

50 min•By Priygop Team•Last updated: Feb 2026

security Best Practices

Use HTTPS in production — a critical concept in server-side JavaScript development that you will use frequently in real projects

Implement rate limiting — a critical concept in server-side JavaScript development that you will use frequently in real projects

Validate and sanitize all inputs — a critical concept in server-side JavaScript development that you will use frequently in real projects

Use environment variables for sensitive data — a critical concept in server-side JavaScript development that you will use frequently in real projects

Implement proper CORS policies — a critical concept in server-side JavaScript development that you will use frequently in real projects

Use security headers — a critical concept in server-side JavaScript development that you will use frequently in real projects

Regular security updates — a critical concept in server-side JavaScript development that you will use frequently in real projects

Input validation and sanitization — a critical concept in server-side JavaScript development that you will use frequently in real projects

SQL injection prevention — a critical concept in server-side JavaScript development that you will use frequently in real projects

XSS protection — a critical concept in server-side JavaScript development that you will use frequently in real projects

security Implementation

Example

// Install security dependencies
npm install helmet express-rate-limit cors

const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const cors = require('cors');

// security middleware
app.use(helmet());

// Rate limiting
const limiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100, // limit each IP to 100 requests per windowMs
    message: 'Too many requests from this IP'
});
app.use('/api/', limiter);

// CORS configuration
const corsOptions = {
    origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:3000'],
    credentials: true,
    optionsSuccessStatus: 200
};
app.use(cors(corsOptions));

// Input validation middleware
const validateInput = (req, res, next) => {
    const { name, email, password } = req.body;
    
    // Sanitize inputs
    req.body.name = name?.trim().replace(/[<>]/g, '');
    req.body.email = email?.toLowerCase().trim();
    
    // Validate email
    const emailRegex = /^[^s@]+@[^s@]+.[^s@]+$/;
    if (!emailRegex.test(req.body.email)) {
        return res.status(400).json({ error: 'Invalid email format' });
    }
    
    // Validate password strength
    if (password && password.length < 8) {
        return res.status(400).json({ error: 'Password must be at least 8 characters long' });
    }
    
    next();
};

// Apply validation to routes
app.post('/register', validateInput, async (req, res) => {
    // Registration logic
});

// Environment variables
require('dotenv').config();

const config = {
    port: process.env.PORT || 3000,
    mongoUri: process.env.MONGO_URI,
    jwtSecret: process.env.JWT_SECRET,
    nodeEnv: process.env.NODE_ENV || 'development'
};

// Error handling for security
app.use((err, req, res, next) => {
    console.error(err.stack);
    
    // Don't leak error details in production
    if (process.env.NODE_ENV === 'production') {
        res.status(500).json({ error: 'Something went wrong!' });
    } else {
        res.status(500).json({ error: err.message });
    }
});

Try It Yourself — Authentication & security

Try It Yourself — Authentication & securityHTML

HTML Editor

✓ ValidTab = 2 spaces

<!DOCTYPE html>
<html>
<head>
<style>
  body { font-family: Arial, sans-serif; padding: 20px; background: #f5f5f5; }
  .container { background: white; padding: 30px; border-radius: 12px; box-shadow: 0 2px 8px rgba(0,0,0,0.1); max-width: 600px; margin: auto; }
  h1 { color: #68a063; }
  button { background: #68a063; color: white; border: none; padding: 10px 20px; border-radius: 6px; font-weight: bold; cursor: pointer; font-size: 16px; margin: 5px; }
  button:hover { background: #5a8f57; }
  .output { background: #1e1e1e; color: #4ec9b0; padding: 15px; border-radius: 8px; margin-top: 15px; font-family: monospace; min-height: 40px; white-space: pre-wrap; }
  select, input { padding: 8px 12px; border: 2px solid #ddd; border-radius: 6px; font-size: 14px; margin: 5px; }
</style>
</head>
<body>
<div class="container">
  <h1>⚙️ Node.js Module 4 Playground</h1>
  <p>Simulate Node.js server concepts in the browser!</p>
  <select id="method"><option>GET</option><option>POST</option><option>PUT</option><option>DELETE</option></select>
  <input id="endpoint" placeholder="/api/users" value="/api/users" />
  <button onclick="simulateRequest()">Send Request</button>
  <button onclick="clearLog()">Clear</button>
  <div class="output" id="output">Server ready. Send a request...</div>
</div>
<script>
  let logs = [];
  function log(msg) { logs.push(msg); document.getElementById('output').textContent = logs.join('
'); }
  function clearLog() { logs = []; document.getElementById('output').textContent = 'Log cleared.'; }
  function simulateRequest() {
    const method = document.getElementById('method').value;
    const endpoint = document.getElementById('endpoint').value || '/';
    log('[' + new Date().toLocaleTimeString() + '] ' + method + ' ' + endpoint);
    log('Status: 200 OK');
    log('Response: { "success": true, "method": "' + method + '", "path": "' + endpoint + '" }');
    log('---');
  }
</script>
</body>
</html>

Result

Click ▶ Run to see the result

Edit the code on the left, then click Run

HTML|39 lines|1938 chars|✓ Valid syntax

UTF-8

security Best Practices