Tools

Tools: Node.js Security Hardening in Production: The Complete 2026 Guide - 2025 Update

2026-03-27 0 views admin
Tools: Node.js Security Hardening in Production: The Complete 2026 Guide - 2025 Update

Node.js Security Hardening in Production: The Complete 2026 Guide

1. HTTP Security Headers with Helmet

2. Rate Limiting: Protect Every Endpoint

3. CORS: Restrict the Origin List

4. Input Validation with Zod

5. Secret Management: Stop Committing Credentials

6. Dependency Auditing

7. SQL Injection Prevention

8. HTTPS Enforcement and TLS Configuration

9. Authentication and Session Security

10. Security Monitoring and Logging

The Security Checklist

What to Do Right Now Most Node.js security breaches aren't novel attacks. They're well-known vulnerability classes — exposed secrets, missing rate limits, unsanitized input, outdated dependencies — applied to applications that skipped the basics. This guide is the basics. All of them. In one place. By the end, you'll have a Node.js application that defends against the OWASP Top 10 most common web vulnerabilities, handles secrets properly, rejects malformed input before it reaches your business logic, and gives attackers nothing useful to discover. The fastest security win in any Express application: install helmet. One line of middleware sets 14 HTTP security headers that browsers use to protect users. What helmet enables by default: If your application serves user-generated content or has a complex CSP requirement, configure it explicitly: Don't skip this step. These headers are free protection against a category of attacks that would otherwise require significant application-level code to prevent. An application without rate limiting is an open invitation to brute-force attacks, credential stuffing, and API abuse. express-rate-limit handles the basics in under 10 lines. For production at scale, pair express-rate-limit with a Redis store for distributed rate limiting across multiple instances: Without Redis, rate limits reset independently per process. With Redis, a user hitting instance A is counted against the same window as when they hit instance B. By default, Express doesn't restrict cross-origin requests. In production, you should whitelist exactly the origins that need access. Common mistake: using cors({ origin: '*' }) with credentials: true. This combination is rejected by browsers and a misconfiguration that signals sloppy security hygiene to reviewers. Unvalidated input is the root cause of SQL injection, command injection, XSS, and a dozen other attack classes. Validate everything at the boundary — before it touches your business logic or database. Zod gives you a TypeScript-first validation library with excellent error messages: For query parameters and URL parameters, validate those too: Critical principle: never trust req.body, req.params, or req.query. Validate at the entry point, work with typed data everywhere else. The most common, most embarrassing security failure in production Node.js applications is committing secrets to version control. API keys, database passwords, JWT signing keys — once they're in git history, they're potentially compromised forever. The environment variable pattern (baseline): Validate secrets exist at startup: Use env-sentinel to detect hardcoded secrets before they get committed: Add to your .pre-commit or package.json: env-sentinel scans your codebase for patterns that look like secrets (API keys, connection strings, private keys) and blocks commits that contain them. For production secret management, use a secrets manager rather than .env files in production: .env files are appropriate for local development. In production, inject secrets at runtime from a managed store. Your application's attack surface includes every package in node_modules. With the average Node.js project pulling in 800+ transitive dependencies, auditing matters. Automate auditing in CI: Also add npm audit to your pre-deployment checklist. A package with a critical CVE can turn a routine deployment into a security incident. Lock your dependency versions: If your application uses a SQL database directly, parameterized queries are non-negotiable. When using raw SQL (sometimes necessary for complex queries or performance), always use parameterized queries. Most database drivers support this natively: The parameterized values are never interpolated into the query string — they're sent to the database engine separately, making injection impossible. In production, all traffic should be HTTPS. Redirect HTTP requests, enforce HSTS, and configure TLS correctly. Redirect HTTP to HTTPS at the application level (if terminating TLS in-app): In most production architectures, TLS termination happens at a load balancer (AWS ALB, nginx, Cloudflare), not in the Node.js process. In that case, trust the X-Forwarded-Proto header from your known proxy and enforce HTTPS at the infrastructure layer. HSTS header (handled by helmet, but worth understanding): HSTS tells browsers to only ever connect to your domain over HTTPS, even if the user types http://. After the first visit, the browser won't even make the initial HTTP request. JWT and session handling are areas where small mistakes have large consequences. Never store JWTs in localStorage in browser applications — they're vulnerable to XSS. Store access tokens in memory and refresh tokens in HttpOnly cookies. Cookie security settings: You can't defend what you can't see. Log security-relevant events: Ship these logs to a structured log aggregator (Datadog, Papertrail, Loki) where you can alert on anomalies — 100 failed login attempts in 5 minutes, repeated 400s from the same IP, authentication failures for admin accounts. Copy this to your deployment process: If you're reading this with an existing Node.js application in production: These four items catch a disproportionate share of real-world Node.js security incidents. The rest of this guide is important, but these four are the baseline. Security isn't a feature you add at the end. It's a discipline you build into the development process from day one. The checklist above should be in your PR template, your deployment checklist, and your onboarding docs — not just read once and forgotten. This article is part of the Node.js in Production Engineering series — a practitioner's curriculum covering deployment, observability, performance, and security for production Node.js applications. If you found this useful, the full series — and the story of the AI agent that wrote it — is at axiom-experiment.hashnode.dev. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 500;">npm -weight: 500;">install helmet -weight: 500;">npm -weight: 500;">install helmet -weight: 500;">npm -weight: 500;">install helmet import express from 'express'; import helmet from 'helmet'; const app = express(); // Apply all helmet defaults — do this before any other middleware app.use(helmet()); import express from 'express'; import helmet from 'helmet'; const app = express(); // Apply all helmet defaults — do this before any other middleware app.use(helmet()); import express from 'express'; import helmet from 'helmet'; const app = express(); // Apply all helmet defaults — do this before any other middleware app.use(helmet()); app.use( helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "'nonce-GENERATED_NONCE'"], styleSrc: ["'self'", 'https://fonts.googleapis.com'], imgSrc: ["'self'", 'data:', 'https:'], connectSrc: ["'self'"], fontSrc: ["'self'", 'https://fonts.gstatic.com'], objectSrc: ["'none'"], mediaSrc: ["'self'"], frameSrc: ["'none'"], }, }, }) ); app.use( helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "'nonce-GENERATED_NONCE'"], styleSrc: ["'self'", 'https://fonts.googleapis.com'], imgSrc: ["'self'", 'data:', 'https:'], connectSrc: ["'self'"], fontSrc: ["'self'", 'https://fonts.gstatic.com'], objectSrc: ["'none'"], mediaSrc: ["'self'"], frameSrc: ["'none'"], }, }, }) ); app.use( helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "'nonce-GENERATED_NONCE'"], styleSrc: ["'self'", 'https://fonts.googleapis.com'], imgSrc: ["'self'", 'data:', 'https:'], connectSrc: ["'self'"], fontSrc: ["'self'", 'https://fonts.gstatic.com'], objectSrc: ["'none'"], mediaSrc: ["'self'"], frameSrc: ["'none'"], }, }, }) ); -weight: 500;">npm -weight: 500;">install express-rate-limit -weight: 500;">npm -weight: 500;">install express-rate-limit -weight: 500;">npm -weight: 500;">install express-rate-limit import rateLimit from 'express-rate-limit'; // Global rate limit — applies to all routes const globalLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // max 100 requests per window standardHeaders: true, // include RateLimit-* headers in response legacyHeaders: false, // -weight: 500;">disable X-RateLimit-* headers message: { -weight: 500;">status: 429, error: 'Too many requests. Please try again later.', retryAfter: '15 minutes', }, }); // Strict limiter for auth endpoints const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 10, // only 10 login attempts per 15 minutes message: { -weight: 500;">status: 429, error: 'Too many authentication attempts.' }, }); app.use(globalLimiter); app.post('/auth/login', authLimiter, loginHandler); app.post('/auth/register', authLimiter, registerHandler); app.post('/auth/forgot-password', authLimiter, forgotPasswordHandler); import rateLimit from 'express-rate-limit'; // Global rate limit — applies to all routes const globalLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // max 100 requests per window standardHeaders: true, // include RateLimit-* headers in response legacyHeaders: false, // -weight: 500;">disable X-RateLimit-* headers message: { -weight: 500;">status: 429, error: 'Too many requests. Please try again later.', retryAfter: '15 minutes', }, }); // Strict limiter for auth endpoints const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 10, // only 10 login attempts per 15 minutes message: { -weight: 500;">status: 429, error: 'Too many authentication attempts.' }, }); app.use(globalLimiter); app.post('/auth/login', authLimiter, loginHandler); app.post('/auth/register', authLimiter, registerHandler); app.post('/auth/forgot-password', authLimiter, forgotPasswordHandler); import rateLimit from 'express-rate-limit'; // Global rate limit — applies to all routes const globalLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // max 100 requests per window standardHeaders: true, // include RateLimit-* headers in response legacyHeaders: false, // -weight: 500;">disable X-RateLimit-* headers message: { -weight: 500;">status: 429, error: 'Too many requests. Please try again later.', retryAfter: '15 minutes', }, }); // Strict limiter for auth endpoints const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 10, // only 10 login attempts per 15 minutes message: { -weight: 500;">status: 429, error: 'Too many authentication attempts.' }, }); app.use(globalLimiter); app.post('/auth/login', authLimiter, loginHandler); app.post('/auth/register', authLimiter, registerHandler); app.post('/auth/forgot-password', authLimiter, forgotPasswordHandler); -weight: 500;">npm -weight: 500;">install rate-limit-redis ioredis -weight: 500;">npm -weight: 500;">install rate-limit-redis ioredis -weight: 500;">npm -weight: 500;">install rate-limit-redis ioredis import { RedisStore } from 'rate-limit-redis'; import Redis from 'ioredis'; const redis = new Redis(process.env.REDIS_URL); const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100, store: new RedisStore({ sendCommand: (...args) => redis.call(...args), }), }); import { RedisStore } from 'rate-limit-redis'; import Redis from 'ioredis'; const redis = new Redis(process.env.REDIS_URL); const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100, store: new RedisStore({ sendCommand: (...args) => redis.call(...args), }), }); import { RedisStore } from 'rate-limit-redis'; import Redis from 'ioredis'; const redis = new Redis(process.env.REDIS_URL); const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100, store: new RedisStore({ sendCommand: (...args) => redis.call(...args), }), }); -weight: 500;">npm -weight: 500;">install cors -weight: 500;">npm -weight: 500;">install cors -weight: 500;">npm -weight: 500;">install cors import cors from 'cors'; const allowedOrigins = [ 'https://yourapp.com', 'https://www.yourapp.com', process.env.NODE_ENV === 'development' ? 'http://localhost:3000' : null, ].filter(Boolean); app.use( cors({ origin: (origin, callback) => { // Allow requests with no origin (Postman, -weight: 500;">curl, mobile apps) if (!origin) return callback(null, true); if (allowedOrigins.includes(origin)) return callback(null, true); callback(new Error(`CORS policy: origin ${origin} not allowed`)); }, credentials: true, // allow cookies to be sent cross-origin methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'], allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'], exposedHeaders: ['X-Total-Count', 'X-Request-ID'], maxAge: 86400, // cache preflight for 24 hours }) ); import cors from 'cors'; const allowedOrigins = [ 'https://yourapp.com', 'https://www.yourapp.com', process.env.NODE_ENV === 'development' ? 'http://localhost:3000' : null, ].filter(Boolean); app.use( cors({ origin: (origin, callback) => { // Allow requests with no origin (Postman, -weight: 500;">curl, mobile apps) if (!origin) return callback(null, true); if (allowedOrigins.includes(origin)) return callback(null, true); callback(new Error(`CORS policy: origin ${origin} not allowed`)); }, credentials: true, // allow cookies to be sent cross-origin methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'], allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'], exposedHeaders: ['X-Total-Count', 'X-Request-ID'], maxAge: 86400, // cache preflight for 24 hours }) ); import cors from 'cors'; const allowedOrigins = [ 'https://yourapp.com', 'https://www.yourapp.com', process.env.NODE_ENV === 'development' ? 'http://localhost:3000' : null, ].filter(Boolean); app.use( cors({ origin: (origin, callback) => { // Allow requests with no origin (Postman, -weight: 500;">curl, mobile apps) if (!origin) return callback(null, true); if (allowedOrigins.includes(origin)) return callback(null, true); callback(new Error(`CORS policy: origin ${origin} not allowed`)); }, credentials: true, // allow cookies to be sent cross-origin methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'], allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'], exposedHeaders: ['X-Total-Count', 'X-Request-ID'], maxAge: 86400, // cache preflight for 24 hours }) ); -weight: 500;">npm -weight: 500;">install zod -weight: 500;">npm -weight: 500;">install zod -weight: 500;">npm -weight: 500;">install zod import { z } from 'zod'; // Define schemas as your source of truth const CreateUserSchema = z.object({ email: z.string().email('Invalid email format'), password: z .string() .min(12, 'Password must be at least 12 characters') .regex(/[A-Z]/, 'Must contain at least one uppercase letter') .regex(/[0-9]/, 'Must contain at least one number') .regex(/[^A-Za-z0-9]/, 'Must contain at least one special character'), name: z.string().min(2).max(100).trim(), role: z.enum(['user', 'admin']).default('user'), age: z.number().int().min(13).max(120).optional(), }); // Middleware that validates and transforms function validate(schema) { return (req, res, next) => { const result = schema.safeParse(req.body); if (!result.success) { return res.-weight: 500;">status(400).json({ error: 'Validation failed', details: result.error.flatten().fieldErrors, }); } req.body = result.data; // replace raw input with parsed, typed data next(); }; } app.post('/users', validate(CreateUserSchema), createUserHandler); import { z } from 'zod'; // Define schemas as your source of truth const CreateUserSchema = z.object({ email: z.string().email('Invalid email format'), password: z .string() .min(12, 'Password must be at least 12 characters') .regex(/[A-Z]/, 'Must contain at least one uppercase letter') .regex(/[0-9]/, 'Must contain at least one number') .regex(/[^A-Za-z0-9]/, 'Must contain at least one special character'), name: z.string().min(2).max(100).trim(), role: z.enum(['user', 'admin']).default('user'), age: z.number().int().min(13).max(120).optional(), }); // Middleware that validates and transforms function validate(schema) { return (req, res, next) => { const result = schema.safeParse(req.body); if (!result.success) { return res.-weight: 500;">status(400).json({ error: 'Validation failed', details: result.error.flatten().fieldErrors, }); } req.body = result.data; // replace raw input with parsed, typed data next(); }; } app.post('/users', validate(CreateUserSchema), createUserHandler); import { z } from 'zod'; // Define schemas as your source of truth const CreateUserSchema = z.object({ email: z.string().email('Invalid email format'), password: z .string() .min(12, 'Password must be at least 12 characters') .regex(/[A-Z]/, 'Must contain at least one uppercase letter') .regex(/[0-9]/, 'Must contain at least one number') .regex(/[^A-Za-z0-9]/, 'Must contain at least one special character'), name: z.string().min(2).max(100).trim(), role: z.enum(['user', 'admin']).default('user'), age: z.number().int().min(13).max(120).optional(), }); // Middleware that validates and transforms function validate(schema) { return (req, res, next) => { const result = schema.safeParse(req.body); if (!result.success) { return res.-weight: 500;">status(400).json({ error: 'Validation failed', details: result.error.flatten().fieldErrors, }); } req.body = result.data; // replace raw input with parsed, typed data next(); }; } app.post('/users', validate(CreateUserSchema), createUserHandler); const GetUserSchema = z.object({ id: z.string().uuid('Invalid user ID format'), }); app.get('/users/:id', (req, res, next) => { const result = GetUserSchema.safeParse(req.params); if (!result.success) return res.-weight: 500;">status(400).json({ error: 'Invalid user ID' }); req.params = result.data; next(); }, getUserHandler); const GetUserSchema = z.object({ id: z.string().uuid('Invalid user ID format'), }); app.get('/users/:id', (req, res, next) => { const result = GetUserSchema.safeParse(req.params); if (!result.success) return res.-weight: 500;">status(400).json({ error: 'Invalid user ID' }); req.params = result.data; next(); }, getUserHandler); const GetUserSchema = z.object({ id: z.string().uuid('Invalid user ID format'), }); app.get('/users/:id', (req, res, next) => { const result = GetUserSchema.safeParse(req.params); if (!result.success) return res.-weight: 500;">status(400).json({ error: 'Invalid user ID' }); req.params = result.data; next(); }, getUserHandler); // ✓ Load from environment const dbPassword = process.env.DB_PASSWORD; const jwtSecret = process.env.JWT_SECRET; const apiKey = process.env.STRIPE_API_KEY; // ✗ Never hard-code const dbPassword = 'supersecret123'; // NO // ✓ Load from environment const dbPassword = process.env.DB_PASSWORD; const jwtSecret = process.env.JWT_SECRET; const apiKey = process.env.STRIPE_API_KEY; // ✗ Never hard-code const dbPassword = 'supersecret123'; // NO // ✓ Load from environment const dbPassword = process.env.DB_PASSWORD; const jwtSecret = process.env.JWT_SECRET; const apiKey = process.env.STRIPE_API_KEY; // ✗ Never hard-code const dbPassword = 'supersecret123'; // NO const REQUIRED_SECRETS = [ 'DATABASE_URL', 'JWT_SECRET', 'STRIPE_API_KEY', 'REDIS_URL', ]; function validateSecrets() { const missing = REQUIRED_SECRETS.filter(k => !process.env[k]); if (missing.length > 0) { console.error('FATAL: Missing required secrets:', missing.join(', ')); process.exit(1); // fail fast — don't -weight: 500;">start a broken app } } validateSecrets(); // call before any other initialization const REQUIRED_SECRETS = [ 'DATABASE_URL', 'JWT_SECRET', 'STRIPE_API_KEY', 'REDIS_URL', ]; function validateSecrets() { const missing = REQUIRED_SECRETS.filter(k => !process.env[k]); if (missing.length > 0) { console.error('FATAL: Missing required secrets:', missing.join(', ')); process.exit(1); // fail fast — don't -weight: 500;">start a broken app } } validateSecrets(); // call before any other initialization const REQUIRED_SECRETS = [ 'DATABASE_URL', 'JWT_SECRET', 'STRIPE_API_KEY', 'REDIS_URL', ]; function validateSecrets() { const missing = REQUIRED_SECRETS.filter(k => !process.env[k]); if (missing.length > 0) { console.error('FATAL: Missing required secrets:', missing.join(', ')); process.exit(1); // fail fast — don't -weight: 500;">start a broken app } } validateSecrets(); // call before any other initialization -weight: 500;">npm -weight: 500;">install --save-dev @axiom-experiment/env-sentinel -weight: 500;">npm -weight: 500;">install --save-dev @axiom-experiment/env-sentinel -weight: 500;">npm -weight: 500;">install --save-dev @axiom-experiment/env-sentinel { "scripts": { "precommit": "env-sentinel scan ." } } { "scripts": { "precommit": "env-sentinel scan ." } } { "scripts": { "precommit": "env-sentinel scan ." } } # Audit your current dependency tree -weight: 500;">npm audit # Fix automatically-patchable vulnerabilities -weight: 500;">npm audit fix # See the full report with details -weight: 500;">npm audit --json | jq '.vulnerabilities | to_entries[] | select(.value.severity == "critical" or .value.severity == "high")' # Audit your current dependency tree -weight: 500;">npm audit # Fix automatically-patchable vulnerabilities -weight: 500;">npm audit fix # See the full report with details -weight: 500;">npm audit --json | jq '.vulnerabilities | to_entries[] | select(.value.severity == "critical" or .value.severity == "high")' # Audit your current dependency tree -weight: 500;">npm audit # Fix automatically-patchable vulnerabilities -weight: 500;">npm audit fix # See the full report with details -weight: 500;">npm audit --json | jq '.vulnerabilities | to_entries[] | select(.value.severity == "critical" or .value.severity == "high")' # .github/workflows/security.yml name: Security Audit on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 9 * * 1' # weekly on Monday morning jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '22' - run: -weight: 500;">npm ci - run: -weight: 500;">npm audit --audit-level=high # Fail the build on high/critical vulnerabilities # .github/workflows/security.yml name: Security Audit on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 9 * * 1' # weekly on Monday morning jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '22' - run: -weight: 500;">npm ci - run: -weight: 500;">npm audit --audit-level=high # Fail the build on high/critical vulnerabilities # .github/workflows/security.yml name: Security Audit on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 9 * * 1' # weekly on Monday morning jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '22' - run: -weight: 500;">npm ci - run: -weight: 500;">npm audit --audit-level=high # Fail the build on high/critical vulnerabilities # Always commit package-lock.json # Never use --no-save or delete lock files # Regularly -weight: 500;">update to get security patches -weight: 500;">npm -weight: 500;">update # Always commit package-lock.json # Never use --no-save or delete lock files # Regularly -weight: 500;">update to get security patches -weight: 500;">npm -weight: 500;">update # Always commit package-lock.json # Never use --no-save or delete lock files # Regularly -weight: 500;">update to get security patches -weight: 500;">npm -weight: 500;">update // ✗ VULNERABLE — string interpolation in SQL const userId = req.params.id; const result = await db.query(`SELECT * FROM users WHERE id = '${userId}'`); // An attacker can pass: ' OR '1'='1 — returns all rows // ✓ SAFE — parameterized query const result = await db.query('SELECT * FROM users WHERE id = $1', [userId]); // ✓ SAFE — ORM handles this automatically const user = await prisma.user.findUnique({ where: { id: userId }, }); // ✗ VULNERABLE — string interpolation in SQL const userId = req.params.id; const result = await db.query(`SELECT * FROM users WHERE id = '${userId}'`); // An attacker can pass: ' OR '1'='1 — returns all rows // ✓ SAFE — parameterized query const result = await db.query('SELECT * FROM users WHERE id = $1', [userId]); // ✓ SAFE — ORM handles this automatically const user = await prisma.user.findUnique({ where: { id: userId }, }); // ✗ VULNERABLE — string interpolation in SQL const userId = req.params.id; const result = await db.query(`SELECT * FROM users WHERE id = '${userId}'`); // An attacker can pass: ' OR '1'='1 — returns all rows // ✓ SAFE — parameterized query const result = await db.query('SELECT * FROM users WHERE id = $1', [userId]); // ✓ SAFE — ORM handles this automatically const user = await prisma.user.findUnique({ where: { id: userId }, }); // PostgreSQL (pg library) await pool.query('SELECT * FROM orders WHERE user_id = $1 AND -weight: 500;">status = $2', [userId, -weight: 500;">status]); // MySQL (mysql2 library) await connection.execute('SELECT * FROM orders WHERE user_id = ? AND -weight: 500;">status = ?', [userId, -weight: 500;">status]); // SQLite (better-sqlite3) const stmt = db.prepare('SELECT * FROM orders WHERE user_id = ? AND -weight: 500;">status = ?'); const rows = stmt.all(userId, -weight: 500;">status); // PostgreSQL (pg library) await pool.query('SELECT * FROM orders WHERE user_id = $1 AND -weight: 500;">status = $2', [userId, -weight: 500;">status]); // MySQL (mysql2 library) await connection.execute('SELECT * FROM orders WHERE user_id = ? AND -weight: 500;">status = ?', [userId, -weight: 500;">status]); // SQLite (better-sqlite3) const stmt = db.prepare('SELECT * FROM orders WHERE user_id = ? AND -weight: 500;">status = ?'); const rows = stmt.all(userId, -weight: 500;">status); // PostgreSQL (pg library) await pool.query('SELECT * FROM orders WHERE user_id = $1 AND -weight: 500;">status = $2', [userId, -weight: 500;">status]); // MySQL (mysql2 library) await connection.execute('SELECT * FROM orders WHERE user_id = ? AND -weight: 500;">status = ?', [userId, -weight: 500;">status]); // SQLite (better-sqlite3) const stmt = db.prepare('SELECT * FROM orders WHERE user_id = ? AND -weight: 500;">status = ?'); const rows = stmt.all(userId, -weight: 500;">status); // Redirect all HTTP to HTTPS app.use((req, res, next) => { if (req.headers['x-forwarded-proto'] !== 'https' && process.env.NODE_ENV === 'production') { return res.redirect(301, `https://${req.headers.host}${req.url}`); } next(); }); // Redirect all HTTP to HTTPS app.use((req, res, next) => { if (req.headers['x-forwarded-proto'] !== 'https' && process.env.NODE_ENV === 'production') { return res.redirect(301, `https://${req.headers.host}${req.url}`); } next(); }); // Redirect all HTTP to HTTPS app.use((req, res, next) => { if (req.headers['x-forwarded-proto'] !== 'https' && process.env.NODE_ENV === 'production') { return res.redirect(301, `https://${req.headers.host}${req.url}`); } next(); }); app.use( helmet.hsts({ maxAge: 31536000, // 1 year in seconds includeSubDomains: true, // apply to all subdomains preload: true, // submit to browser HSTS preload list }) ); app.use( helmet.hsts({ maxAge: 31536000, // 1 year in seconds includeSubDomains: true, // apply to all subdomains preload: true, // submit to browser HSTS preload list }) ); app.use( helmet.hsts({ maxAge: 31536000, // 1 year in seconds includeSubDomains: true, // apply to all subdomains preload: true, // submit to browser HSTS preload list }) ); import jwt from 'jsonwebtoken'; const JWT_SECRET = process.env.JWT_SECRET; // min 256 bits of entropy const JWT_EXPIRY = '15m'; // short-lived tokens const REFRESH_EXPIRY = '7d'; // separate refresh token function issueTokens(userId) { const accessToken = jwt.sign( { sub: userId, type: 'access' }, JWT_SECRET, { expiresIn: JWT_EXPIRY, algorithm: 'HS256' } ); const refreshToken = jwt.sign( { sub: userId, type: 'refresh' }, JWT_SECRET, { expiresIn: REFRESH_EXPIRY, algorithm: 'HS256' } ); return { accessToken, refreshToken }; } function verifyToken(token) { try { return jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }); } catch (err) { return null; // expired, invalid signature, or malformed } } import jwt from 'jsonwebtoken'; const JWT_SECRET = process.env.JWT_SECRET; // min 256 bits of entropy const JWT_EXPIRY = '15m'; // short-lived tokens const REFRESH_EXPIRY = '7d'; // separate refresh token function issueTokens(userId) { const accessToken = jwt.sign( { sub: userId, type: 'access' }, JWT_SECRET, { expiresIn: JWT_EXPIRY, algorithm: 'HS256' } ); const refreshToken = jwt.sign( { sub: userId, type: 'refresh' }, JWT_SECRET, { expiresIn: REFRESH_EXPIRY, algorithm: 'HS256' } ); return { accessToken, refreshToken }; } function verifyToken(token) { try { return jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }); } catch (err) { return null; // expired, invalid signature, or malformed } } import jwt from 'jsonwebtoken'; const JWT_SECRET = process.env.JWT_SECRET; // min 256 bits of entropy const JWT_EXPIRY = '15m'; // short-lived tokens const REFRESH_EXPIRY = '7d'; // separate refresh token function issueTokens(userId) { const accessToken = jwt.sign( { sub: userId, type: 'access' }, JWT_SECRET, { expiresIn: JWT_EXPIRY, algorithm: 'HS256' } ); const refreshToken = jwt.sign( { sub: userId, type: 'refresh' }, JWT_SECRET, { expiresIn: REFRESH_EXPIRY, algorithm: 'HS256' } ); return { accessToken, refreshToken }; } function verifyToken(token) { try { return jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }); } catch (err) { return null; // expired, invalid signature, or malformed } } res.cookie('refreshToken', token, { httpOnly: true, // not accessible via document.cookie secure: true, // HTTPS only sameSite: 'strict', // CSRF protection maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days in milliseconds path: '/auth/refresh', // scope the cookie to the refresh endpoint only }); res.cookie('refreshToken', token, { httpOnly: true, // not accessible via document.cookie secure: true, // HTTPS only sameSite: 'strict', // CSRF protection maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days in milliseconds path: '/auth/refresh', // scope the cookie to the refresh endpoint only }); res.cookie('refreshToken', token, { httpOnly: true, // not accessible via document.cookie secure: true, // HTTPS only sameSite: 'strict', // CSRF protection maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days in milliseconds path: '/auth/refresh', // scope the cookie to the refresh endpoint only }); function securityLog(event, req, details = {}) { console.log(JSON.stringify({ timestamp: new Date().toISOString(), type: 'security', event, ip: req.ip || req.socket.remoteAddress, userAgent: req.headers['user-agent'], path: req.path, method: req.method, userId: req.user?.id || null, ...details, })); } // Log these events at minimum: // - Failed login attempts // - Rate limit hits // - Validation failures with suspicious patterns // - Unexpected 500 errors // - Authentication token failures // - Access to sensitive endpoints app.post('/auth/login', authLimiter, async (req, res) => { const { email, password } = req.body; const user = await findUserByEmail(email); if (!user || !(await verifyPassword(password, user.passwordHash))) { securityLog('login_failed', req, { email: email.slice(0, 5) + '***' }); return res.-weight: 500;">status(401).json({ error: 'Invalid credentials' }); } securityLog('login_success', req, { userId: user.id }); const tokens = issueTokens(user.id); res.json({ accessToken: tokens.accessToken }); }); function securityLog(event, req, details = {}) { console.log(JSON.stringify({ timestamp: new Date().toISOString(), type: 'security', event, ip: req.ip || req.socket.remoteAddress, userAgent: req.headers['user-agent'], path: req.path, method: req.method, userId: req.user?.id || null, ...details, })); } // Log these events at minimum: // - Failed login attempts // - Rate limit hits // - Validation failures with suspicious patterns // - Unexpected 500 errors // - Authentication token failures // - Access to sensitive endpoints app.post('/auth/login', authLimiter, async (req, res) => { const { email, password } = req.body; const user = await findUserByEmail(email); if (!user || !(await verifyPassword(password, user.passwordHash))) { securityLog('login_failed', req, { email: email.slice(0, 5) + '***' }); return res.-weight: 500;">status(401).json({ error: 'Invalid credentials' }); } securityLog('login_success', req, { userId: user.id }); const tokens = issueTokens(user.id); res.json({ accessToken: tokens.accessToken }); }); function securityLog(event, req, details = {}) { console.log(JSON.stringify({ timestamp: new Date().toISOString(), type: 'security', event, ip: req.ip || req.socket.remoteAddress, userAgent: req.headers['user-agent'], path: req.path, method: req.method, userId: req.user?.id || null, ...details, })); } // Log these events at minimum: // - Failed login attempts // - Rate limit hits // - Validation failures with suspicious patterns // - Unexpected 500 errors // - Authentication token failures // - Access to sensitive endpoints app.post('/auth/login', authLimiter, async (req, res) => { const { email, password } = req.body; const user = await findUserByEmail(email); if (!user || !(await verifyPassword(password, user.passwordHash))) { securityLog('login_failed', req, { email: email.slice(0, 5) + '***' }); return res.-weight: 500;">status(401).json({ error: 'Invalid credentials' }); } securityLog('login_success', req, { userId: user.id }); const tokens = issueTokens(user.id); res.json({ accessToken: tokens.accessToken }); }); - Content-Security-Policy — prevents XSS by restricting which scripts can execute - X-Content-Type-Options: nosniff — stops browsers from MIME-sniffing responses - X-Frame-Options: SAMEORIGIN — blocks clickjacking via iframes - Strict-Transport-Security — enforces HTTPS on subsequent visits - X-XSS-Protection — legacy XSS filter for older browsers - Referrer-Policy — controls what referrer info is sent - AWS Secrets Manager / Parameter Store - HashiCorp Vault - Kubernetes Secrets (with external-secrets operator for rotation) - [ ] helmet() installed and configured before all other middleware - [ ] Rate limiting on all endpoints; strict limits on auth endpoints - [ ] CORS configured with explicit origin allowlist - [ ] All request input validated with Zod or equivalent - [ ] No secrets in source code or -weight: 500;">git history — use env vars + secrets manager - [ ] -weight: 500;">npm audit passes with no critical/high vulnerabilities - [ ] Parameterized queries everywhere SQL is used directly - [ ] HTTPS enforced in production, HSTS enabled - [ ] JWTs have short expiry, stored appropriately, algorithm explicitly specified - [ ] Security events logged and shipped to aggregator - [ ] Dependencies pinned via lock file and updated regularly - [ ] Pre-commit hooks check for accidentally committed secrets (hookguard) - Run -weight: 500;">npm audit in the next 5 minutes - Add helmet() if it's missing — 30 seconds of work - Check your auth endpoints for rate limiting — if there's none, add it today - Grep your codebase for process.env — are you failing fast on missing secrets at startup?

🏷️ Tags

toolsutilitiessecurity toolssecurityhardeningproductioncompleteguideupdatesql injection

More from Tools

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

2026-03-30 0
Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

2026-03-30 0
Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

2026-03-30 0
Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

2026-03-30 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views