The latest articles on DEV Community by Davanesh Saminathan (@davanesh). https://dev.to/davanesh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3961295%2Fd9045060-87fc-457d-a464-fdf8733fd9d0.jpeg https://dev.to/davanesh en Davanesh Saminathan Tue, 02 Jun 2026 11:08:13 +0000 https://dev.to/davanesh/i-got-tired-of-installing-5-security-packages-in-every-express-project-309n https://dev.to/davanesh/i-got-tired-of-installing-5-security-packages-in-every-express-project-309n <p>Every time I started a new Express.js project, the first few minutes looked exactly the same.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>helmet npm <span class="nb">install </span>express-rate-limit npm <span class="nb">install </span>morgan </code></pre> </div> <p>Then came the setup.</p> <p>Different middleware.</p> <p>Different configuration options.</p> <p>Different documentation.</p> <p>The process wasn't difficult, but after doing it repeatedly across multiple projects, it started to feel unnecessary.</p> <p>I wasn't building new features.</p> <p>I was rebuilding the same security foundation over and over again.</p> <h2> The Pattern I Kept Seeing </h2> <p>Most Express applications need the same baseline protections:</p> <ul> <li>Security headers</li> <li>Rate limiting</li> <li>Request size limits</li> <li>Request logging</li> <li>Secure defaults</li> </ul> <p>Yet every project required installing and configuring multiple packages just to reach that baseline.</p> <p>For experienced developers, that's manageable.</p> <p>For beginners, it's often confusing.</p> <p>And in many projects, security gets postponed until much later in development.</p> <p>Sometimes it never gets added at all.</p> <h2> What If It Was Just One Package? </h2> <p>At some point, I started asking a simple question:</p> <p>Why am I repeating the same setup every time?</p> <p>What if the common security protections could be enabled with a single middleware?</p> <p>Something as simple as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">fortress</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">fortressjs</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">fortress</span><span class="p">());</span> </code></pre> </div> <p>That question eventually led to the creation of FortressJS.</p> <h2> Building FortressJS </h2> <p>FortressJS started as a personal project to simplify Express API security.</p> <p>The goal wasn't to replace every security package in the Node.js ecosystem.</p> <p>The goal was much simpler:</p> <p>Provide sensible security defaults with minimal setup.</p> <p>Today, FortressJS includes:</p> <ul> <li>Security headers</li> <li>Rate limiting</li> <li>Request size protection</li> <li>Request logging</li> <li>Easy Express integration</li> </ul> <p>Installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>fortressjs </code></pre> </div> <p>Usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">fortress</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">fortressjs</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">fortress</span><span class="p">());</span> </code></pre> </div> <h2> What I Learned Building It </h2> <p>Building FortressJS taught me several lessons.</p> <h3> Simplicity Is a Feature </h3> <p>Developers don't want more configuration.</p> <p>They want fewer decisions.</p> <p>Reducing setup complexity can be just as valuable as adding new functionality.</p> <h3> Scope Can Kill Projects </h3> <p>My initial ideas were much larger.</p> <p>Threat intelligence.</p> <p>Security dashboards.</p> <p>Advanced monitoring.</p> <p>But trying to build everything at once is how many projects fail.</p> <p>Starting small made it possible to actually ship something.</p> <h3> Open Source Is Different </h3> <p>Writing code is only part of the work.</p> <p>Documentation, examples, testing, and feedback are just as important.</p> <p>A project nobody understands won't get used, regardless of how good the code is.</p> <h2> What's Next? </h2> <p>The roadmap for FortressJS currently includes:</p> <ul> <li>Threat detection</li> <li>Security auditing CLI</li> <li>Security scoring</li> <li>Local monitoring dashboard</li> </ul> <p>The focus remains the same:</p> <p>Make API security easier for Node.js developers.</p> <h2> Final Thoughts </h2> <p>FortressJS started because I was tired of repeating the same security setup in every Express project.</p> <p>Instead of doing it again, I decided to build a tool that could automate the process.</p> <p>The project is still in its early stages, and feedback is always welcome.</p> <p>⭐ GitHub: <a href="https://github.com/davanesh/fortressjs" rel="noopener noreferrer">https://github.com/davanesh/fortressjs</a></p> <p>📦 NPM Packages:</p> <ul> <li>Core: <a href="https://www.npmjs.com/package/@fortressjs/core" rel="noopener noreferrer">https://www.npmjs.com/package/@fortressjs/core</a> — The main FortressJS package that provides security middleware, rate limiting, request protection, and secure defaults for Express applications.</li> <li>CLI: <a href="https://www.npmjs.com/package/@fortressjs/cli" rel="noopener noreferrer">https://www.npmjs.com/package/@fortressjs/cli</a> — Command-line tool for auditing, analyzing, and managing FortressJS security features.</li> </ul> <p>If you're building Express APIs, what security package do you install first?</p> node express security opensource Davanesh Saminathan Tue, 02 Jun 2026 10:41:05 +0000 https://dev.to/davanesh/10-security-mistakes-most-express-apis-make-and-how-to-fix-them-4jki https://dev.to/davanesh/10-security-mistakes-most-express-apis-make-and-how-to-fix-them-4jki <p>Building APIs with Express.js is fast and enjoyable, but security is often treated as something to handle later. Unfortunately, small security mistakes can expose applications to attacks, data leaks, and service disruptions.</p> <p>In this article, we'll look at 10 common security mistakes developers make when building Express APIs and how to fix them.</p> <h2> 1. Not Using Security Headers </h2> <p>By default, Express does not add many security-related HTTP headers.</p> <p>Without proper headers, applications may be vulnerable to attacks such as clickjacking and MIME-type sniffing.</p> <h3> Fix </h3> <p>Install Helmet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>helmet </code></pre> </div> <p>Use it in your application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">helmet</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">helmet</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">helmet</span><span class="p">());</span> </code></pre> </div> <h2> 2. No Rate Limiting </h2> <p>Without rate limiting, attackers can spam endpoints, brute-force login forms, or overwhelm your server.</p> <h3> Fix </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>express-rate-limit </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">rateLimit</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express-rate-limit</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">limiter</span><span class="p">);</span> </code></pre> </div> <h2> 3. Exposing Stack Traces in Production </h2> <p>Detailed error messages may reveal sensitive implementation details.</p> <h3> Bad Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">stack</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> Better </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Internal Server Error</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Keep detailed logs on the server, not in client responses.</p> <h2> 4. Trusting User Input </h2> <p>Never trust incoming data.</p> <p>Attackers can send malformed requests, inject malicious payloads, or bypass assumptions.</p> <h3> Fix </h3> <p>Validate all incoming requests using libraries such as:</p> <ul> <li>Zod</li> <li>Joi</li> <li>express-validator</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">email</span><span class="p">(),</span> <span class="p">});</span> </code></pre> </div> <h2> 5. Hardcoding Secrets </h2> <p>One of the most common mistakes is storing secrets directly in source code.</p> <h3> Avoid </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">API_KEY</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">my-secret-key</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <h3> Better </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">API_KEY</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_KEY</span><span class="p">;</span> </code></pre> </div> <p>Store secrets in environment variables instead.</p> <h2> 6. Missing Request Size Limits </h2> <p>Attackers can send extremely large payloads and consume server resources.</p> <h3> Fix </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">limit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1mb</span><span class="dl">"</span><span class="p">,</span> <span class="p">}));</span> </code></pre> </div> <p>Choose limits appropriate for your application.</p> <h2> 7. Using Outdated Dependencies </h2> <p>Security vulnerabilities are regularly discovered in npm packages.</p> <h3> Fix </h3> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm audit </code></pre> </div> <p>And keep dependencies updated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm update </code></pre> </div> <h2> 8. Weak Authentication Practices </h2> <p>Common mistakes include:</p> <ul> <li>Weak passwords</li> <li>Long-lived tokens</li> <li>Missing password hashing</li> <li>No multi-factor authentication</li> </ul> <h3> Fix </h3> <p>Use:</p> <ul> <li>bcrypt or Argon2 for password hashing</li> <li>JWT expiration times</li> <li>MFA where appropriate</li> </ul> <h2> 9. No Logging or Monitoring </h2> <p>If an incident occurs, logs are often the only way to understand what happened.</p> <h3> Fix </h3> <p>Implement structured logging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">morgan</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">morgan</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">morgan</span><span class="p">(</span><span class="dl">"</span><span class="s2">combined</span><span class="dl">"</span><span class="p">));</span> </code></pre> </div> <p>Monitor unusual traffic patterns and failed authentication attempts.</p> <h2> 10. Assuming HTTPS Is Optional </h2> <p>HTTP traffic can be intercepted and modified.</p> <h3> Fix </h3> <p>Always use HTTPS in production.</p> <p>If you're deploying behind a reverse proxy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">trust proxy</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> </code></pre> </div> <p>And enforce HTTPS wherever possible.</p> <h1> Final Thoughts </h1> <p>Security isn't a feature you add at the end of a project. It should be part of the development process from day one.</p> <p>The good news is that most of these issues can be fixed with just a few lines of code.</p> <p>While exploring common Express security challenges, I've also been building <strong>FortressJS</strong>, an open-source project focused on making API security easier for Node.js developers.</p> <p>What security mistake do you see most often in Express applications?</p> <p>Thanks for reading! 🚀</p> node express security webdev