If you’re building a backend using Node.js or Express.js, it’s not just about making routes and sending data.
You also need to secure your API — so no one can break it, crash it, or steal your data.
In this post, I’ll explain 5 important things that every beginner backend developer should learn, in a simple and easy way.
Let’s go 👇
🧩 1. Input Validation
What is Input Validation?
Input validation means checking the data before saving or using it.
For example:
If a user enters an email, we should make sure it’s a real email, not something like
DROP DATABASE users;
Types of Validation
✅ Client-Side Validation
Happens in the browser (like in HTML or React).
<input type="email" required />
This helps users fix mistakes early.
But remember — hackers can bypass client validation, so we must always check again on the backend.
✅ Server-Side Validation
Happens before saving or processing data on your server.
We can use libraries like:
- Zod
- Validator.js
- Joi
Example using Joi 👇
import Joi from "joi";
const schema = Joi.object({
email: Joi.string().email().required(),
password: Joi.string().min(6).required(),
});
const { error } = schema.validate(req.body);
if (error) return res.status(400).send("Invalid data!");
Example using Zod 👇
import { email, z } from "zod";
export const CreateUserSchema = z.object({
username: z.string().min(3).max(20),
password: z.string(),
name: z.string(),
email : z.email(),
photo : z.string()
})
export const SigninSchema = z.object({
username: z.string().min(3).max(20),
password: z.string(),
email : z.email(),
})
export const CreateRoomSchema = z.object({
name: z.string().min(3).max(20),
})
If the data is not valid, send a 400 Bad Request.
This helps prevent SQL Injection and other attacks.
💡 Pro tip: Always validate every input before saving to your database.
⚙️ 2. Rate Limiting
What is Rate Limiting?
Rate limiting means controlling how many requests a user or IP can send in a short time.
This protects your API from being overloaded or attacked.
Example:
If your backend can handle 100 requests per second, you can limit each user to 10 per second.
If someone tries to spam or attack your API, rate limiting will automatically block them — and your server won’t crash 💪
How to Do It in Express
Install the package:
npm install express-rate-limit
Then use it:
import rateLimit from "express-rate-limit";
const limiter = rateLimit({
windowMs: 1000, // 1 second
max: 10, // limit each IP to 10 requests per second
message: "Too many requests, please slow down!",
});
app.use(limiter);
💡 Best practice: Always apply rate limiting on login or signup routes — these are most targeted in attacks.
🔐 3. Protect Your APIs (Using Tokens)
Why Use Tokens?
To protect routes, we use authentication.
The most common way is JWT (JSON Web Token).
How JWT Works
- When a user logs in → backend creates a token.
- The token is sent to frontend and stored (in localStorage or cookies).
- On every request → frontend sends the token back.
- Backend verifies it before giving access.
Example:
You can also use refresh tokens to get a new token when the old one expires.
💡 Always write authentication logic in middleware so you can use it easily across routes.
🧰 4. Error Handling
Why We Need Error Handling?
Errors will happen — maybe a database issue or a coding bug.
We need to handle them properly so:
- The app doesn’t crash
- We don’t show private backend details
- We can log and fix them later
Example:
// Global error handler
app.use((err, req, res, next) => {
console.error(err.stack); // log error
res.status(500).send("Something went wrong!");
});
You can also store errors in files or use tools like ElasticSearch, Sentry, or LogRocket.
💡 Tip: Don’t expose raw errors in production — only send friendly messages to users.
🌐 5. HTTPS
Why HTTPS?
HTTP uses port 80. HTTPS uses port 443.
The “S” stands for Secure — it encrypts data between client and server.
This means even if someone intercepts your traffic, they can’t read the data (like passwords or tokens).
How HTTPS Works
HTTPS uses SSL/TLS certificates for encryption.
You can buy one or get it free from Let’s Encrypt.
Example in Node.js
import https from "https";
import fs from "fs";
import app from "./app.js";
const options = {
key: fs.readFileSync("key.pem"),
cert: fs.readFileSync("cert.pem"),
};
https.createServer(options, app).listen(443, () => {
console.log("Server running on HTTPS");
});
You can also use:
- Nginx or Caddy (for auto HTTPS)
- Cloudflare as a reverse proxy to add HTTPS for free
💡 Always redirect from HTTP → HTTPS.
Top comments (0)