Backend Framework15 Guides

Express Security Checklist

A comprehensive guide to securing your Express application. Covering 15 vulnerability categories with framework-specific code examples and best practices.

Express Security Best Practices

Use `helmet` middleware for setting security headers (CSP, HSTS, X-Frame-Options, etc.) with sensible defaults.

Use `express-rate-limit` for rate limiting. Apply stricter limits to authentication endpoints and API routes.

Always use parameterized queries with your database driver. Never concatenate user input into SQL strings.

Validate request bodies using `express-validator`, Zod, or Joi middleware. Reject requests that do not match expected schemas.

Use `cors` middleware with explicit origin allowlists. Never use `cors({ origin: '*' })` in production.

Disable the `X-Powered-By` header with `app.disable('x-powered-by')` or by using helmet.

Use `multer` or `busboy` for file uploads with strict file type and size limits. Store files outside the web root.

Implement proper error handling middleware that does not leak stack traces or internal details in production.

Vulnerability Guides for Express

Critical Severity

SQL Injection

A03:2021 - Injection · CWE-89

Broken Authentication

A07:2021 - Identification and Authentication Failures · CWE-287

Command Injection

A03:2021 - Injection · CWE-78

Insecure Deserialization

A08:2021 - Software and Data Integrity Failures · CWE-502

Row Level Security (RLS) Bypass

A01:2021 - Broken Access Control · CWE-863

High Severity

Cross-Site Scripting (XSS)

A03:2021 - Injection · CWE-79

Cross-Site Request Forgery (CSRF)

A01:2021 - Broken Access Control · CWE-352

Insecure Direct Object References (IDOR)

A01:2021 - Broken Access Control · CWE-639

Sensitive Data Exposure

A02:2021 - Cryptographic Failures · CWE-200

JWT Vulnerabilities

A07:2021 - Identification and Authentication Failures · CWE-347

Path Traversal

A01:2021 - Broken Access Control · CWE-22

Server-Side Request Forgery (SSRF)

A10:2021 - Server-Side Request Forgery · CWE-918

File Upload Vulnerabilities

A04:2021 - Insecure Design · CWE-434

Medium Severity

Security Misconfiguration

A05:2021 - Security Misconfiguration · CWE-16

Missing Rate Limiting

A04:2021 - Insecure Design · CWE-770

Other Framework Guides

Next.js React Vue Nuxt Svelte SvelteKit Remix FastAPI Django Ruby on Rails Laravel Spring Boot ASP.NET

Scan Your Express App

Automatically test your Express application for all 15 vulnerability categories. Get actionable results in minutes.

Start Free Scan