Server-Side SEO for CRA: How We Injected Dynamic Meta Tags Without Migrating to Next.js

Yogesh Kr. Gupta — Wed, 19 Nov 2025 17:52:13 +0000

🚀 Server-Side SEO for CRA: How We Injected Dynamic Meta Tags Without Migrating to Next.js

TL;DR: We solved a major SEO problem in a large Create React App (CRA) by building a lightweight Node/Express proxy layer. This server-side injector fetches dynamic SEO metadata and sitemaps from a central service, putting an end to static <head> issues.

🎯 The Problem: Why CRA Fails at SEO

Create React App (CRA) and other Single Page Applications (SPAs) are built for speed and client-side rendering. However, they ship a single, static index.html.

For a site with thousands of dynamic routes (e.g., /products/1001, /articles/title), the page header looks the same to crawlers and social media scrapers:

<html>
<head>
    <title>React App</title>
    <meta name="description" content="Default description" />
    </head>
</html>

This leads to:

Poor SERP Appearance: Google uses generic titles/descriptions for dynamic pages.

No Social Previews (OG): Links shared on LinkedIn/X/Facebook lack images, titles, and descriptions.

Complex Sitemap Management: No easy way to generate and serve sitemaps for dynamic content.

Migrating the entire application to an SSR framework like Next.js was ruled out due to cost and complexity. We needed an incremental, low-risk solution.

✨ The Solution: The Express SEO Proxy Injector

Our approach was to introduce a small, robust Node/Express proxy server that sits in front of the static CRA build.

This server acts as a gatekeeper:

It serves all static assets (.js, .css, etc.) directly from the CRA /build folder.

It intercepts all dynamic route requests (/page-slug, /profile/user).

For dynamic routes, it contacts a central SEO Content API to fetch the necessary metadata.

It modifies the original index.html on the fly, injecting the dynamic meta tags before sending the final, SEO-optimized HTML to the client or crawler.

Architecture Flow

Here's the detailed request lifecycle:

Request received: A user or crawler hits https://site.com/dynamic/page.

Express Intercepts: The Express layer checks if the request is for a static file. If not, it proceeds to Step 3.

API Call: Express calls the central SEO service (https://YOUR_SEO_API.example.com/GetSeoMetaTags?url=...).

HTML Modification:
It reads the static /build/index.html.

It uses RegEx to remove the old, static

and tags.

It injects the dynamic SEO HTML fragment returned by the API before .

Response: The optimized HTML, containing the correct, dynamic meta tags, is sent to the client.

💻 The Sanitized Code Breakdown

The entire core logic is contained in a single file, demonstrating the pattern clearly.

Disclaimer: Real domains and secrets are replaced with placeholders. You can view and clone the runnable code on GitHub: https://github.com/YogeshYKG/dynamic-seo-for-cra-without-ssr

1. The Setup & Handlers
We use express, axios for API calls, and dotenv for configuration.

// server-seo-sitemap.js (sanitized example)
require("dotenv").config();
const express = require("express");
const fs = require("fs");
const path = require("path");
const axios = require("axios");
// ... setup variables ...

// Static assets handler: serves files directly from /build
app.get("*.*", (req, res) => {
    // ... logic to serve static files ...
});

// Sitemap handler: proxies requests for *.xml files
app.get("/*.xml", async (req, res) => {
    try {
        // ... logic to call SEO API and return XML ...
    } catch (err) {
        // ... error handling ...
    }
});

2. Fetching and Sanitizing (The Crucial Parts)
The fetchSEOTags handles the API call, and removeDefaultSEOTags uses regular expressions to clear out the old content.

// Function to remove CRA default meta tags 
function removeDefaultSEOTags(html) {
    return html
        .replace(/<title>[\s\S]*?<\/title>/i, "")
        .replace(/<meta[^>]*name=["']description["'][^>]*>/i, "")
        // ... (removed other meta/link regexes for brevity) ...
}

// Main HTML handler 
app.get("*", async (req, res) => {
    const urlPath = req.path;
    const indexFile = path.join(BUILD_DIR, "index.html");
    const seoHTML = await fetchSEOTags(urlPath); // Call API

    // Optional: Logic to inject client-side redirect if 'alternate' link is present
    let redirectScript = "";
    // ... logic for redirect script creation ...

    fs.readFile(indexFile, "utf8", (err, html) => {
        if (err) return res.status(500).send("Internal Server Error");

        let cleanedHTML = removeDefaultSEOTags(html); // Clean the head

        // Inject SEO HTML and optional script before </head>
        const finalHTML = cleanedHTML.replace(/<\/head>/i, `\n${seoHTML}\n${redirectScript}\n</head>`);

        res.send(finalHTML);
    });
});

🛠️ Performance, Security, and Tradeoffs

This pattern is effective but introduces new challenges that must be addressed:

Tradeoffs
Latency: The first request now involves an extra API call. Mitigation: Implement aggressive caching.

Complexity: Requires maintaining a separate SEO API service and managing cache invalidation rules.

Security & Stability Checklist

Area,Mitigation
API Latency,"Implement a strict request timeout (e.g., 2 seconds) on axios calls and use the defaultSEO fallback immediately on timeout."
Performance,Implement an in-memory or Redis cache keyed by URL path (/page-slug). Use a short TTL.
XSS/Abuse,"The code must sanitize/escape the seoHTML fragment returned by the API to ensure only allowed <meta>, <title>, and <link> tags are injected."
Redirects,"Whitelist the domains allowed in the <link rel=""alternate"" href=""...""> tag to prevent open-redirect vulnerabilities via the injected script."

Feedback, suggestions, and alternatives are welcome!

🔗 GitHub Repo (Full Code):

https://github.com/YogeshYKG/dynamic-seo-for-cra-without-ssr

DEV Community: Yogesh Kr. Gupta