Node.js Security Best Practices for a Deployed App and API
The key Node.js security best practices for a deployed app are: keep dependencies patched, never ship secrets in the client bundle, set HTTP security headers with Helmet, enforce HTTPS with a strong TLS configuration, validate every input, rate-limit your endpoints, lock CORS to known origins, and return generic errors with no stack traces in production. On top of that, make sure your server never serves files like .env or .git/. This guide walks each one, then shows how to verify the externally visible parts against your live domain.
These map closely to the official Node.js security best practices guide and the OWASP Top 10 — start there if you want the canonical references. Below is the practical, deploy-it version.
What is the Node.js security checklist in short?
- Patch dependencies — run
npm audit, watch for CVEs, update promptly. - Keep secrets out of the bundle — load them from env vars, never hardcode or ship them to the browser.
- Set security headers with Helmet — HSTS,
nosniff, frame protection, a tuned CSP. - Enforce HTTPS/TLS — redirect HTTP to HTTPS, send a long
Strict-Transport-Securitymax-age. - Validate and sanitize input — schema-validate bodies, params, and query strings.
- Rate-limit endpoints — throttle login and write actions to slow brute force and abuse.
- Lock down CORS — allowlist origins; never reflect arbitrary
Origin. - Fail safely — generic error responses, no stack traces in production.
- Don't serve dotfiles — block
.env,.git/, backups, and source maps from the web root.
Each section below expands one of these.
How do I keep Node.js dependencies and CVEs under control?
Most Node.js incidents start with a known-vulnerable package, not novel code. The single highest-leverage habit is dependency hygiene:
- Run
npm auditregularly and in CI. Treat a vulnerable transitive dependency as seriously as a direct one — attackers exploit the whole tree. - Commit a lockfile (
package-lock.json) so builds are reproducible and you know exactly what shipped. - Remove dependencies you no longer use. Less surface, fewer CVEs to track.
- Automate it. Wire
npm audit(or a dependency-update bot) into CI so a newly disclosed CVE breaks the build instead of sitting silently in production.
This is something only you can do — it requires reading your package.json and lockfile, which lives in your repo and your CI, not on the public internet. An external scanner cannot see your dependency tree, so own this step yourself.
How do I handle secrets and environment variables safely?
The golden rule: secrets live in environment variables (or a secret manager), never in source, and never in anything shipped to the browser.
- Load secrets from
process.env, injected by your host or orchestrator. Don't commit.envfiles; add them to.gitignore. - Never put a real secret in client-side JavaScript. Anything in a frontend bundle is downloadable by every visitor — an API key in your client bundle is already public. If you have a server-rendered or SPA front end, route privileged calls through a backend proxy instead of calling third-party APIs from the browser with a private key.
- Rotate any secret that has ever been exposed, and scrub it from git history with a tool like
git-filter-repoif it was committed.
This is the one client-side mistake an external scanner can catch. A black-box scan downloads your homepage and its linked scripts and pattern-matches them for credential shapes (AWS keys, Stripe keys, private keys, database URLs, and so on) using a large detector set — purely from outside, with no access to your source. If a key shows up, it's a real leak by definition. For a deeper treatment, see how to find exposed API keys on a website.
Should I use Helmet for security headers?
Yes — Helmet is the standard way to set HTTP security headers in Express-style Node apps, and it's a few lines:
const helmet = require("helmet");
app.use(helmet());
Helmet sets sensible defaults and lets you tune the important ones. The headers that matter most:
| Header | What it defends against | Helmet / value note |
|---|---|---|
| Strict-Transport-Security | Protocol downgrade / SSL-strip | Long max-age (e.g. 31536000), includeSubDomains once all subdomains serve HTTPS |
| Content-Security-Policy | XSS and injection | Configure explicitly; avoid unsafe-inline / unsafe-eval |
| X-Content-Type-Options | MIME sniffing | nosniff (Helmet default) |
X-Frame-Options / CSP frame-ancestors | Clickjacking | SAMEORIGIN / frame-ancestors 'none' |
| Referrer-Policy | URL leakage to third parties | strict-origin-when-cross-origin |
But Helmet is one layer, not a security strategy. It does nothing for authentication, input validation, dependency CVEs, or leaked secrets. CSP in particular is only useful if you tune it: a policy that still allows 'unsafe-inline' in script-src largely defeats its own XSS protection. If your front end is React or Next.js, Next.js security headers covers a copy-pasteable header setup.
How do I enforce HTTPS and TLS correctly?
Terminate TLS at your load balancer, reverse proxy, or platform, and:
- Redirect all HTTP to HTTPS. Don't serve a usable HTTP version of the app.
- Send HSTS (
Strict-Transport-Security) with a longmax-age— a short value gives weak downgrade protection. AddincludeSubDomains; preloadonly when every subdomain is HTTPS, because preload is hard to reverse. - Keep your TLS config modern — disable legacy protocol versions and weak ciphers. Most of this is handled by your proxy or platform, but defaults drift, so verify.
TLS configuration is entirely externally observable, which makes it easy to confirm after deploy (see the verification section).
How do I validate input and secure a REST API?
Untrusted input is the root of injection, and the OWASP Top 10 consistently ranks injection and broken access control near the top. For a Node.js REST API:
- Schema-validate everything — request bodies, route params, and query strings — with a validator like
zod,joi, orexpress-validator. Reject anything that doesn't match; don't try to "clean" arbitrary input. - Use parameterized queries for any database access. Never build SQL or NoSQL queries by string concatenation.
- Authenticate and authorize every endpoint. Check not just who the caller is but whether they may touch this specific resource — broken object-level authorization (IDOR) is a leading API risk.
- Set sane payload limits so a giant body can't exhaust memory.
The OWASP Cheat Sheet Series has focused guides for input validation, REST security, and authorization that are worth bookmarking.
How do I rate-limit and configure CORS?
Rate limiting slows brute-force, credential-stuffing, and scraping. Throttle authentication and write endpoints with middleware like express-rate-limit, keyed by IP or API key. You don't need to throttle idempotent reads as aggressively, but mutating actions should always be capped.
CORS decides which web origins may call your API from a browser. The common mistake is reflecting the request's Origin back, which effectively allows everyone. Instead, maintain an explicit allowlist:
const cors = require("cors");
app.use(cors({ origin: ["https://app.example.com"], credentials: true }));
Only enable credentials: true when you genuinely send cookies cross-origin, and never combine it with a wildcard origin. A misconfigured CORS policy is externally detectable, so it's worth checking on the live API — see how to test and fix a permissive CORS policy for the full breakdown.
How should errors and exposed files be handled in production?
Two quiet leaks worth closing:
- No stack traces in production. A verbose error handler that returns the exception, stack, or framework debug page hands an attacker your file paths, library versions, and internal structure. Catch errors centrally, log the detail server-side, and return a generic message and status code to the client. Set
NODE_ENV=productionso frameworks switch off debug output. - Don't serve dotfiles or build artifacts. Your web root should never serve
.env,.git/,.npmrc, backup archives (backup.zip,*.sql), private keys, or source maps. These are commonly leaked by a misconfigured static handler or a.gitignoremistake, and they're trivial to probe for from outside. A.git/directory served publicly can let an attacker reconstruct your source.
How do I verify the externally observable parts with a black-box scan?
Everything above splits into two halves. The repo-side half — dependency CVEs, secret management, validation logic — is yours to own and can't be seen from outside. But a large share of these practices is externally observable, and the only reliable way to know what your deployed app exposes is to look at it from the internet, the same way an attacker would.
That's where a black-box scan against your live domain comes in. SteelSuit scans your deployed domain with no access to your source, package.json, or node_modules — it sees only what your server actually returns:
| Best practice | What's checked from outside |
|---|---|
| TLS / HTTPS | Real testssl.sh-based TLS configuration and HSTS on the live endpoint |
| Security headers | Presence and quality of headers, plus a CSP evaluator (flags unsafe-inline, wildcards) |
| Secrets in bundle | Pattern-match of your homepage and linked JS for leaked credential shapes (no key verification) |
| Exposed files | Probes for .env, .git/, backups, robots/sitemap exposure |
| CORS | Deep CORS misconfiguration checks |
| Tech / known CVEs | CDN and tech fingerprint; a deep scan adds the full Nuclei template set and a CMS check |
The free fast_scan runs in about 26 seconds; the deeper deep_scan takes roughly 5–6 minutes and requires DNS-TXT ownership verification. It returns prioritized findings with stack-specific fix advice. Two honest caveats for a Node app specifically: SteelSuit does not run npm audit or read your dependency files — own that yourself in CI — and it pattern-matches secrets without probing the provider, so confirm any match against your own dashboards before acting.
For the full deployment-time list, pair this with the web application security checklist. The combination — disciplined repo hygiene plus an external scan of the live domain — is the most reliable answer to how to secure a web application built on Node.js.
Frequently asked
Is Node.js secure?
Node.js itself is actively maintained and reasonably secure, but most real-world risk comes from how you use it: outdated dependencies, leaked secrets, missing security headers, weak input validation, and verbose error output. Following the official Node.js security best practices and verifying your deployed app closes the common gaps.
How do I secure a REST API in Node.js?
Enforce HTTPS, authenticate and authorize every endpoint, validate and sanitize all input against a schema, rate-limit requests to slow abuse and brute force, restrict CORS to known origins, and return generic error responses without stack traces. Keep dependencies patched and never expose secrets in responses or client code.
Does Helmet make my app secure?
No. Helmet sets sensible HTTP security headers (like HSTS, X-Content-Type-Options, and a Content-Security-Policy you configure) that reduce specific browser-side risks such as clickjacking and MIME sniffing. It is one layer. You still need input validation, authentication, dependency hygiene, TLS, and safe error handling.
How do I keep Node.js dependencies safe?
Run npm audit regularly, update packages promptly when CVEs are disclosed, pin versions with a lockfile, remove unused dependencies, and automate alerts in CI. Treat a vulnerable transitive dependency as seriously as a direct one, since attackers exploit the whole tree.
How do I check that my deployed Node app is configured securely?
Run a black-box scan against your live domain. An external scanner reads your real TLS configuration and HTTP headers, probes for exposed files like .env and .git, checks CORS, and pattern-matches your client bundle for leaked keys — confirming what your app actually exposes to the internet rather than what your config claims.