DEV Community: Zia Ullah The latest articles on DEV Community by Zia Ullah (@zia_ullah_zia). https://dev.to/zia_ullah_zia https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2812210%2Ffa229547-c713-4561-a8eb-e01ddaaeb846.jpg DEV Community: Zia Ullah https://dev.to/zia_ullah_zia en How to Deploy a Full-Stack Node.js App on Azure: A Step-by-Step Guide Zia Ullah Sat, 13 Jun 2026 23:32:59 +0000 https://dev.to/zia_ullah_zia/how-to-deploy-a-full-stack-nodejs-app-on-azure-a-step-by-step-guide-5535 https://dev.to/zia_ullah_zia/how-to-deploy-a-full-stack-nodejs-app-on-azure-a-step-by-step-guide-5535 <p>The first time I deployed a production app to Azure, I spent three hours troubleshooting a crash that turned out to be one line: the app was listening on port 3000 instead of <code>process.env.PORT</code>. Azure injects its own port at runtime, and if your app ignores it, the health check fails silently and the whole thing dies on startup.</p> <p>That was my introduction to cloud deployment. Since then I've deployed several production apps to Azure across different projects. I've made most of the mistakes worth making, and this guide is the walkthrough I wish I'd had.</p> <p>We'll cover App Service, Azure Database for PostgreSQL, environment variables, and a GitHub Actions CI/CD pipeline that handles deployments automatically.</p> <h2> Prerequisites </h2> <ul> <li>An Azure account (free tier works for this guide)</li> <li>A Node.js app (Express or similar) with a <code>package.json</code> </li> <li>PostgreSQL as your database</li> <li>A GitHub repository for your code</li> <li>Azure CLI installed locally</li> </ul> <h2> What We'll Deploy </h2> <ul> <li> <strong>Backend:</strong> Node.js / Express API</li> <li> <strong>Database:</strong> Azure Database for PostgreSQL (Flexible Server)</li> <li> <strong>Hosting:</strong> Azure App Service (Linux)</li> <li> <strong>CI/CD:</strong> GitHub Actions</li> </ul> <h2> Step 1: Create a Resource Group </h2> <p>Everything in Azure lives inside a Resource Group — a logical container for all your app's cloud resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az login az group create <span class="se">\</span> <span class="nt">--name</span> myapp-rg <span class="se">\</span> <span class="nt">--location</span> westeurope </code></pre> </div> <p>Use a location close to your users. <code>westeurope</code> (Netherlands) works well for European users.</p> <h2> Step 2: Create the PostgreSQL Database </h2> <p>Today, the recommended option is Azure Database for PostgreSQL Flexible Server. It is cheaper and more flexible than the older Single Server from Azure, which is being retired.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az postgres flexible-server create <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg <span class="se">\</span> <span class="nt">--name</span> myapp-db-server <span class="se">\</span> <span class="nt">--location</span> westeurope <span class="se">\</span> <span class="nt">--admin-user</span> dbadmin <span class="se">\</span> <span class="nt">--admin-password</span> YourStrongPassword123! <span class="se">\</span> <span class="nt">--sku-name</span> Standard_B1ms <span class="se">\</span> <span class="nt">--tier</span> Burstable <span class="se">\</span> <span class="nt">--storage-size</span> 32 <span class="se">\</span> <span class="nt">--version</span> 15 </code></pre> </div> <p>Then create your database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az postgres flexible-server db create <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg <span class="se">\</span> <span class="nt">--server-name</span> myapp-db-server <span class="se">\</span> <span class="nt">--database-name</span> myappdb </code></pre> </div> <p>Allow your App Service to connect by adding a firewall rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az postgres flexible-server firewall-rule create <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg <span class="se">\</span> <span class="nt">--name</span> myapp-db-server <span class="se">\</span> <span class="nt">--rule-name</span> AllowAzureServices <span class="se">\</span> <span class="nt">--start-ip-address</span> 0.0.0.0 <span class="se">\</span> <span class="nt">--end-ip-address</span> 0.0.0.0 </code></pre> </div> <p>Setting start and end IP to <code>0.0.0.0</code> allows Azure-internal traffic. This is fine for App Service to Database communication — just don't open it to public internet IPs.</p> <h2> Step 3: Create the App Service Plan and Web App </h2> <p>The compute resources are defined by the App Service Plan. Begin at B1 (Basic) and develop later if required.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az appservice plan create <span class="se">\</span> <span class="nt">--name</span> myapp-plan <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg <span class="se">\</span> <span class="nt">--sku</span> B1 <span class="se">\</span> <span class="nt">--is-linux</span> az webapp create <span class="se">\</span> <span class="nt">--name</span> myapp-api <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg <span class="se">\</span> <span class="nt">--plan</span> myapp-plan <span class="se">\</span> <span class="nt">--runtime</span> <span class="s2">"NODE:20-lts"</span> </code></pre> </div> <p>Your app will be live at: <code>https://myapp-api.azurewebsites.net</code></p> <h2> Step 4: Set Environment Variables </h2> <p>Never put secrets in your code. Azure App Service has Application Settings. They are injected as environment variables on runtime, never touching your source code or repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az webapp config appsettings <span class="nb">set</span> <span class="se">\</span> <span class="nt">--name</span> myapp-api <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg <span class="se">\</span> <span class="nt">--settings</span> <span class="se">\</span> <span class="nv">NODE_ENV</span><span class="o">=</span>production <span class="se">\</span> <span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://dbadmin:YourStrongPassword123!@myapp-db-server.postgres.database.azure.com/myappdb?sslmode=require"</span> <span class="se">\</span> <span class="nv">JWT_SECRET</span><span class="o">=</span><span class="s2">"your-secret-key-here"</span> <span class="se">\</span> <span class="nv">PORT</span><span class="o">=</span>8080 </code></pre> </div> <p>In your Node.js app, read them as normal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">dbUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">jwtSecret</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">;</span> </code></pre> </div> <p>And this is the fix for the port issue I mentioned at the start — make sure your server uses <code>process.env.PORT</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">||</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Running on port </span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">));</span> </code></pre> </div> <h2> Step 5: Prepare Your App for Production </h2> <p>Make sure your <code>package.json</code> has a <code>start</code> script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node server.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm install --production"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Azure PostgreSQL requires SSL. If you're using the <code>pg</code> package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">Pool</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">pg</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pool</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Pool</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">,</span> <span class="na">ssl</span><span class="p">:</span> <span class="p">{</span> <span class="na">rejectUnauthorized</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Pin your Node.js version in <code>package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"engines"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&gt;=20.0.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Step 6: Deploy with GitHub Actions (CI/CD) </h2> <p>Manual deployments are OK, but once you have GitHub Actions set up, every push to <code>main</code> automatically deploys. The azure documentation for this is not great so here is the exact process:</p> <p>Get your publish profile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az webapp deployment list-publishing-profiles <span class="se">\</span> <span class="nt">--name</span> myapp-api <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg <span class="se">\</span> <span class="nt">--xml</span> </code></pre> </div> <p>Copy the XML output. In your GitHub repo go to <strong>Settings → Secrets → Actions</strong> and add a secret called <code>AZURE_WEBAPP_PUBLISH_PROFILE</code> with that XML as the value.</p> <p>Then create <code>.github/workflows/deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Azure</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci --production</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Azure Web App</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/webapps-deploy@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">app-name</span><span class="pi">:</span> <span class="s">myapp-api</span> <span class="na">publish-profile</span><span class="pi">:</span> <span class="s">${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}</span> <span class="na">package</span><span class="pi">:</span> <span class="s">.</span> </code></pre> </div> <p>Push to <code>main</code>, watch the Actions tab, and your app is live within a couple of minutes.</p> <h2> Step 7: Run Database Migrations on Deploy </h2> <p>If you use a migration tool like Knex or db-migrate, add a migration step before deploying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run database migrations</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run migrate</span> <span class="na">env</span><span class="pi">:</span> <span class="na">DATABASE_URL</span><span class="pi">:</span> <span class="s">${{ secrets.DATABASE_URL }}</span> </code></pre> </div> <p>Add <code>DATABASE_URL</code> as a separate GitHub Actions secret for this.</p> <h2> Step 8: Set Up Health Checks </h2> <p>Add a health endpoint to your app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ok</span><span class="dl">'</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Configure Azure to use it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az webapp config <span class="nb">set</span> <span class="se">\</span> <span class="nt">--name</span> myapp-api <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg <span class="se">\</span> <span class="nt">--generic-configurations</span> <span class="s1">'{"healthCheckPath": "/health"}'</span> </code></pre> </div> <p>Azure periodically pings this endpoint. If it gets anything other than 200, it takes traffic off that instance and starts it back up again. It's saved me a few times when a deployment went awry.</p> <h2> Monitoring and Logs </h2> <p>To stream live logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az webapp log <span class="nb">tail</span> <span class="se">\</span> <span class="nt">--name</span> myapp-api <span class="se">\</span> <span class="nt">--resource-group</span> myapp-rg </code></pre> </div> <p>For Application Insights, initialize the SDK at the very top of your entry file, before any other imports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">appInsights</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">applicationinsights</span><span class="dl">'</span><span class="p">);</span> <span class="nx">appInsights</span><span class="p">.</span><span class="nf">setup</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APPLICATIONINSIGHTS_CONNECTION_STRING</span><span class="p">).</span><span class="nf">start</span><span class="p">();</span> </code></pre> </div> <h2> Things That Caught Me Off Guard </h2> <p>A few things from running Node.js apps on Azure in production that aren't obvious from the docs.</p> <p>Turn on "Always On" under Configuration → General Settings. By default, Azure puts your app to sleep after a period of inactivity on lower tiers. If you're building anything where users expect instant response — not a 15-second cold start — you need this on. I've seen clients blame "the server" for slowness when it was just Azure waking up from idle.</p> <p>Use deployment slots. Azure App Service lets you deploy to a staging slot first, verify everything works, then swap to production with zero downtime. The swap is quick and reversible. I started using this after a bad deployment took down a production app during business hours. It won't happen again.</p> <p>Watch your PostgreSQL CPU credits on the Burstable tier. The B1ms is cheap but runs on burstable CPU — you have a credit bucket that depletes under sustained load. Set up an Azure Monitor alert on CPU credit balance so you know before the instance starts throttling, not after users start complaining.</p> <h2> Wrapping Up </h2> <p>From the first <code>az login</code> to a live URL takes about 30 minutes. After that, the GitHub Actions pipeline handles every deployment automatically. Migrations run on push, and health checks restart the app if anything goes wrong.</p> <p>The things that trip up most people are the PORT variable, SSL on the PostgreSQL connection, and forgetting to turn on Always On. Get these right from the start, and you'll save yourself a few hours of debugging.</p> <p>Zia Ullah is a full-stack developer with over 12 years of experience, starting in 2013. He specializes in web applications for healthcare and SaaS. He works at <a href="https://www.valueadd.se" rel="noopener noreferrer">ValueAdd</a>, a software development company based in Sweden.</p> azure cicd node tutorial How to Build a Secure Audit Trail in Your Web App (No Third-Party Tools) Zia Ullah Sat, 13 Jun 2026 22:48:18 +0000 https://dev.to/zia_ullah_zia/how-to-build-a-secure-audit-trail-in-your-web-app-no-third-party-tools-h1g https://dev.to/zia_ullah_zia/how-to-build-a-secure-audit-trail-in-your-web-app-no-third-party-tools-h1g <p>How to Build a Secure Audit Trail in Your Web App (No Third-Party Tools)<br> I never cared for audit trails too much until we did our first compliance review on a healthcare project I was working on. The first question asked of the auditor was: </p> <blockquote> <p>Please provide me with everything you did to this record in the last 90 days.</p> </blockquote> <p>We could not. Not properly, anyway.</p> <p>At that point, I made logging not an afterthought. When you are building anything that involves some sensitive data, your builds could be in healthcare, or maybe finance, or perhaps internal admin tools — you need a real audit trail. Not some console. queryable, a tamper-resistant log of who did what and when —log wrapper.<br> Here is a tutorial on how to build your own from scratch using Node.js, Express, and PostgreSQL. No third-party service is needed.</p> <h2> Prerequisites </h2> <ul> <li>Node.js (v18+)</li> <li>PostgreSQL (v14+)</li> <li>Basics of SQL and Express</li> <li> <code>pg npm</code> package for Database Access Management</li> </ul> <h2> What Is an Audit Trail? </h2> <p>An audit trail is a record of all important events that have taken place in your system in an append-only style. The magic word is append-only — rows are appended, rows can never change or be deleted. That’s what makes it reliable.<br> When something goes wrong — a record gets changed, data goes missing, a user complains their information was modified — you want to be able to pull up a timeline and say exactly what happened. Without a proper audit trail, you're guessing.<br> The things you need to capture per action: who did it, what they did, which record was affected, when it happened, what changed (before and after), and where the request came from (IP, device).</p> <h2> Step 1: Design the Audit Log Table </h2> <p>The audit log lives in its own table and should be treated as write-only.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">audit_logs</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">user_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">user_email</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">action</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- 'CREATE', 'UPDATE', 'DELETE', 'VIEW'</span> <span class="n">resource</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- table or resource name, e.g. 'medications'</span> <span class="n">resource_id</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="c1">-- the affected record's ID</span> <span class="n">old_values</span> <span class="n">JSONB</span><span class="p">,</span> <span class="c1">-- snapshot before change</span> <span class="n">new_values</span> <span class="n">JSONB</span><span class="p">,</span> <span class="c1">-- snapshot after change</span> <span class="n">ip_address</span> <span class="n">INET</span><span class="p">,</span> <span class="n">user_agent</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Index for fast lookups by user or resource</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_audit_user_id</span> <span class="k">ON</span> <span class="n">audit_logs</span><span class="p">(</span><span class="n">user_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_audit_resource</span> <span class="k">ON</span> <span class="n">audit_logs</span><span class="p">(</span><span class="n">resource</span><span class="p">,</span> <span class="n">resource_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_audit_created_at</span> <span class="k">ON</span> <span class="n">audit_logs</span><span class="p">(</span><span class="n">created_at</span> <span class="k">DESC</span><span class="p">);</span> </code></pre> </div> <p>A few things worth noting about the design. JSONB for old/new values means you don't have to run a migration every time your data model changes — the log just captures whatever shape the record had at that point in time. <code>TIMESTAMPTZ</code> instead of <code>TIMESTAMP</code> is important if your users are in different time zones. And there's no <code>updated_at</code> column here — audit logs don't get updated.</p> <h2> Step 2: Create an Audit Service </h2> <p>Consolidate audit logging in a single service to make it consistent and easy to call from anywhere.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// services/auditService.js</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">pool</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../db</span><span class="dl">'</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">log</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">userEmail</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">resource</span><span class="p">,</span> <span class="nx">resourceId</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">oldValues</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">newValues</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">ipAddress</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">userAgent</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="s2">` INSERT INTO audit_logs (user_id, user_email, action, resource, resource_id, old_values, new_values, ip_address, user_agent) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) `</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">values</span> <span class="o">=</span> <span class="p">[</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">userEmail</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">resource</span><span class="p">,</span> <span class="nx">resourceId</span><span class="p">,</span> <span class="nx">oldValues</span> <span class="p">?</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">oldValues</span><span class="p">)</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">newValues</span> <span class="p">?</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">newValues</span><span class="p">)</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">ipAddress</span><span class="p">,</span> <span class="nx">userAgent</span><span class="p">,</span> <span class="p">];</span> <span class="c1">// Don't await — fire-and-forget to avoid blocking the main request</span> <span class="nx">pool</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="nx">values</span><span class="p">).</span><span class="k">catch</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">[AuditService] Failed to write audit log:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">log</span> <span class="p">};</span> </code></pre> </div> <p>Look at <code>pool.query</code> is called without <code>await</code>. This is by design; audit logging should never cause a user-facing request to fail or slow down. I learned this the hard way when a slow database insert blocked a critical record update in production. It was easily fixed. Fire and forget. Catch errors silently and move on.</p> <h2> Step 3: Add It to Your Routes </h2> <p>Here's a real example — updating a sensitive record:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">audit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../services/auditService</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getRecordById</span><span class="p">,</span> <span class="nx">updateRecord</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../models/record</span><span class="dl">'</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="dl">'</span><span class="s1">/:id</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userEmail</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Fetch the current state before updating</span> <span class="kd">const</span> <span class="nx">oldRecord</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getRecordById</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="c1">// Perform the update</span> <span class="kd">const</span> <span class="nx">updated</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">updateRecord</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="c1">// Log the change</span> <span class="nx">audit</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">userEmail</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UPDATE</span><span class="dl">'</span><span class="p">,</span> <span class="na">resource</span><span class="p">:</span> <span class="dl">'</span><span class="s1">records</span><span class="dl">'</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">id</span><span class="p">,</span> <span class="na">oldValues</span><span class="p">:</span> <span class="nx">oldRecord</span><span class="p">,</span> <span class="na">newValues</span><span class="p">:</span> <span class="nx">updated</span><span class="p">,</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">user-agent</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">updated</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Always capture <code>oldValues</code> before changing them. Once you take the record away, it’s gone.</p> <h2> Step 4: Build an Express Middleware for Read Logging </h2> <p>For sensitive resources, you may want to log even read (VIEW) actions. Use middleware so you don't have to add it to every route manually.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// middleware/auditRead.js</span> <span class="kd">const</span> <span class="nx">audit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../services/auditService</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">auditRead</span><span class="p">(</span><span class="nx">resource</span><span class="p">)</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nx">audit</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">userEmail</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">VIEW</span><span class="dl">'</span><span class="p">,</span> <span class="nx">resource</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span> <span class="o">||</span> <span class="kc">null</span><span class="p">,</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">user-agent</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">auditRead</span><span class="p">;</span> </code></pre> </div> <p>Apply it to any route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">auditRead</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../middleware/auditRead</span><span class="dl">'</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/:id</span><span class="dl">'</span><span class="p">,</span> <span class="nf">auditRead</span><span class="p">(</span><span class="dl">'</span><span class="s1">records</span><span class="dl">'</span><span class="p">),</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// your handler</span> <span class="p">});</span> </code></pre> </div> <h2> Step 5: Query the Audit Log </h2> <p>Give your admins a way to read the log. Here's a simple API endpoint with filtering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">resource</span><span class="p">,</span> <span class="k">from</span><span class="p">,</span> <span class="nx">to</span><span class="p">,</span> <span class="nx">limit</span> <span class="o">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">SELECT * FROM audit_logs WHERE 1=1</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">if </span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="nx">params</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="nx">query</span> <span class="o">+=</span> <span class="s2">` AND user_id = $</span><span class="p">${</span><span class="nx">params</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">resource</span><span class="p">)</span> <span class="p">{</span> <span class="nx">params</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">resource</span><span class="p">);</span> <span class="nx">query</span> <span class="o">+=</span> <span class="s2">` AND resource = $</span><span class="p">${</span><span class="nx">params</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="k">from</span><span class="p">)</span> <span class="p">{</span> <span class="nx">params</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="k">from</span><span class="p">);</span> <span class="nx">query</span> <span class="o">+=</span> <span class="s2">` AND created_at &gt;= $</span><span class="p">${</span><span class="nx">params</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">to</span><span class="p">)</span> <span class="p">{</span> <span class="nx">params</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">to</span><span class="p">);</span> <span class="nx">query</span> <span class="o">+=</span> <span class="s2">` AND created_at &lt;= $</span><span class="p">${</span><span class="nx">params</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="nx">params</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nf">parseInt</span><span class="p">(</span><span class="nx">limit</span><span class="p">),</span> <span class="mi">500</span><span class="p">));</span> <span class="nx">query</span> <span class="o">+=</span> <span class="s2">` ORDER BY created_at DESC LIMIT $</span><span class="p">${</span><span class="nx">params</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pool</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="nx">params</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Cap the limit (here at 500) to prevent someone from accidentally dumping the entire log in one request.</p> <h2> Step 6: Protect the Audit Log </h2> <p>The audit table is only useful if nobody can tamper with it. Enforce this at the database level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">REVOKE</span> <span class="k">DELETE</span><span class="p">,</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">audit_logs</span> <span class="k">FROM</span> <span class="n">app_user</span><span class="p">;</span> </code></pre> </div> <p>Beyond that, only admins and compliance roles should be able to query the log. Consider a separate database user for writing vs. reading: your API uses <code>audit_writer</code> (INSERT only), your admin dashboard uses <code>audit_reader</code> (SELECT only). A compromised API key cannot read the audit history, even if it tries.</p> <h2> Handling Bulk Operations </h2> <p>When a single action affects multiple records, create one audit entry per record — not one entry for the entire batch. This makes it possible to trace the history of any individual record without parsing bulk entries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">record</span> <span class="k">of</span> <span class="nx">affectedRecords</span><span class="p">)</span> <span class="p">{</span> <span class="nx">audit</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">userEmail</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">,</span> <span class="na">resource</span><span class="p">:</span> <span class="dl">'</span><span class="s1">items</span><span class="dl">'</span><span class="p">,</span> <span class="na">resourceId</span><span class="p">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">oldValues</span><span class="p">:</span> <span class="nx">record</span><span class="p">,</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">user-agent</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Things I'd Do Differently </h2> <p>Working on compliance-sensitive projects has taught me a few things about audit logging that I wish I'd known earlier.<br> The biggest one: log the reason, not just the action. For high-risk operations like deletions or adjustments, add a <code>reason</code> field. When a discrepancy comes up months later, "disposal — patient refused" is infinitely more useful than just seeing a number change in the data. A plain UPDATE tells you nothing about why.<br> Second: store the user's role at log time. Roles change. If someone was an admin when they made a change and you only stored their user ID, you'll have to reconstruct what role they had at that point in time — usually when you're already under pressure. Just log <code>role: 'admin'</code> alongside the user ID.<br> And build the query UI early. The first few months on one project we had the data but no easy way to search it, which meant every incident investigation started with someone running raw SQL. A simple admin page with date range and user filters makes a huge difference when you actually need it.</p> <h2> Wrapping Up </h2> <p>The core pattern is simple: append-only table, a central log function that never blocks, and database-level protection against tampering. Most of the complexity is in the details — what to log, how to query it, and how to make it useful when you actually need it.<br> Get the foundation in place early. It's much harder to retrofit an audit trail into an existing app than to build it in from the start.</p> <p><em>Zia Ullah is a full-stack developer with 12+ years of experience (since 2013), specializing in web applications for healthcare and SaaS. He works at <a href="https://www.valueadd.se" rel="noopener noreferrer">ValueAdd</a>, a software development company based in Sweden.</em></p> backend security tutorial webdev