Articles

Node.js Security Hardening: 30-Point Checklist (2026)

April 18, 2026 10 min read

Node.js security hardening is less about adding layers of defense and more about systematically removing the vulnerabilities that Node.js, by its very nature, exposes.

Let’s see Node.js in action, specifically how a common vulnerability might manifest. Imagine a simple Express app:

const express = require('express');
const app = express();
const port = 3000;

app.use(express.urlencoded({ extended: false })); // For parsing form data

app.post('/user', (req, res) => {
  const username = req.body.username;
  // Vulnerable operation: direct database query with user input
  db.query(`SELECT * FROM users WHERE username = '${username}'`, (err, results) => {
    if (err) throw err;
    res.send(results);
  });
});

app.listen(port, () => {
  console.log(`App listening on port ${port}`);
});

If a malicious actor sends username as ' OR '1'='1, the db.query becomes SELECT * FROM users WHERE username = '' OR '1'='1', effectively bypassing authentication and returning all users. This isn’t a Node.js bug; it’s how untrusted input can be mishandled in any language, but Node.js’s ease of use and common patterns can make it easy to overlook.

The core problem Node.js security hardening addresses is its default trust in external input and its powerful, flexible runtime. Node.js is designed to be fast and flexible, which often means it doesn’t have as many built-in safeguards as more opinionated or compiled languages. This leads to common attack vectors like injection (SQL, NoSQL, command), cross-site scripting (XSS), insecure direct object references (IDOR), and denial-of-service (DoS) when not properly managed.

Here’s a practical checklist to harden your Node.js applications:

  1. Update Node.js and npm: Always run the latest LTS version.

    • Diagnosis: node -v and npm -v. Check against current LTS at nodejs.org.
    • Fix: nvm install --lts (if using nvm) and npm install -g npm@latest.
    • Why it works: Patches security vulnerabilities discovered in the runtime and package manager.

  2. Use a Dependency Scanner: Regularly scan your dependencies for known vulnerabilities.

    • Diagnosis: npm audit.
    • Fix: npm audit fix or manually update vulnerable packages. For critical vulnerabilities, consider forking and patching if an update isn’t available.
    • Why it works: Identifies and helps remediate packages with published CVEs.

  3. Sanitize and Validate All User Input: Never trust data coming from the client.

    • Diagnosis: Manual code review of all API endpoints and data handling. Use tools like validator.js.
    • Fix: For strings, use validator.escape(string) or validator.trim(string). For numbers, parseInt(string, 10). For dates, new Date(string). Always check against expected formats and ranges.
    • Why it works: Prevents injection attacks by ensuring data conforms to its expected type and format.

  4. Prevent SQL Injection: Use parameterized queries or ORMs.

    • Diagnosis: Review database query construction in your code.
    • Fix: If using mysql2 or pg, use connection.execute('SELECT * FROM users WHERE username = ?', [username]) or connection.query('SELECT * FROM users WHERE username = $1', [username]). For ORMs like Sequelize, use their built-in methods which handle parameterization by default.
    • Why it works: The database driver treats the parameters as literal values, not executable SQL code.

  5. Prevent NoSQL Injection: Similar to SQL, use parameterized queries or ODM features.

    • Diagnosis: Review MongoDB/Mongoose query construction.
    • Fix: For Mongoose, use schema validation and avoid constructing queries with raw JavaScript objects that could contain $where or other operators. Use methods like Model.find({ username: username }).
    • Why it works: Prevents attackers from injecting malicious operators into your database queries.

  6. Implement Rate Limiting: Protect against brute-force attacks and DoS.

    • Diagnosis: Observe server logs for repeated requests from the same IP.
    • Fix: Use middleware like express-rate-limit. Example:
      const rateLimit = require('express-rate-limit');
const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again after 15 minutes'
});
app.use('/api/', apiLimiter);
    • Why it works: Limits the number of requests a client can make within a specific time frame.

  7. Secure Cookies: Use httpOnly and secure flags.

    • Diagnosis: Inspect cookies in browser developer tools.
    • Fix: When setting cookies (e.g., using res.cookie() in Express):
      res.cookie('sessionID', '...', { httpOnly: true, secure: process.env.NODE_ENV === 'production' });
    • Why it works: httpOnly prevents JavaScript access, mitigating XSS attacks. secure ensures cookies are only sent over HTTPS.

  8. Use Helmet.js: A collection of middleware for security.

    • Diagnosis: Lack of standard security headers.
    • Fix: npm install helmet. In your app: const helmet = require('helmet'); app.use(helmet());.
    • Why it works: Sets various HTTP headers like X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, etc., to protect against common web vulnerabilities.

  9. Disable x-powered-by Header: Don’t reveal your framework.

    • Diagnosis: curl -I http://localhost:3000 and look for X-Powered-By: Express.
    • Fix: app.disable('x-powered-by'); or use Helmet, which disables it by default.
    • Why it works: Reduces information leakage that attackers can use to target specific vulnerabilities.

  10. Secure File Uploads: Validate file types, sizes, and store them outside the web root.

    • Diagnosis: Review file upload handling logic.
    • Fix: Use libraries like multer. Validate mimetype and originalname. Store uploads in a dedicated, non-executable directory. Never trust the Content-Type header from the client.
    • Why it works: Prevents attackers from uploading malicious scripts or executables.

  11. Handle Errors Gracefully: Don’t leak sensitive information.

    • Diagnosis: Observe error messages in production environments.
    • Fix: Implement a global error handler. Log detailed errors to a secure log file, but send generic error messages to the client.
      app.use((err, req, res, next) => {
  console.error(err.stack); // Log the full error server-side
  res.status(500).send('Something broke!'); // Send a generic message to client
});
    • Why it works: Prevents attackers from gaining insight into your system’s internals through error messages.

  12. Use Environment Variables for Secrets: Never hardcode credentials.

    • Diagnosis: Hardcoded API keys, database passwords in code.
    • Fix: Use process.env.YOUR_SECRET_KEY. Load variables using dotenv in development: require('dotenv').config();.
    • Why it works: Keeps sensitive information out of version control and easily accessible code.

  13. Secure Dependencies: Regularly update and audit. (Covered in #2, but crucial enough to reiterate).

  14. Disable eval() and new Function(): Avoid dynamic code execution.

    • Diagnosis: Use of eval() or new Function() with untrusted input.
    • Fix: Refactor code to avoid these. If absolutely necessary, ensure input is rigorously sanitized, but it’s generally best to avoid them entirely.
    • Why it works: Prevents arbitrary code execution vulnerabilities.

  15. Implement Input Validation for JSON: Especially for express.json().

    • Diagnosis: Malformed or overly large JSON payloads causing issues.
    • Fix: Use express.json({ strict: true, limit: '1mb' }). Consider schema validation libraries like ajv.
    • Why it works: Prevents DoS from excessively large or malformed JSON.

  16. Use npm ci in CI/CD: For reproducible builds.

    • Diagnosis: Inconsistent dependency versions between local and CI environments.
    • Fix: Replace npm install with npm ci in your build scripts.
    • Why it works: Installs exact versions from package-lock.json, preventing unexpected dependency changes.

  17. Limit Package Permissions: Use npm install --ignore-scripts if possible.

    • Diagnosis: Malicious packages running post-install scripts.
    • Fix: Avoid packages with complex build steps or scripts sections if not strictly necessary. Use npm install --ignore-scripts if you trust the package and don’t need its scripts.
    • Why it works: Prevents malicious code embedded in package installation scripts from executing.

  18. Secure WebSocket Connections: Use WSS (TLS) and validate origin.

    • Diagnosis: Unencrypted WebSocket traffic or lack of origin checks.
    • Fix: Configure your server to use WSS. Implement origin checks within your WebSocket handler.
    • Why it works: Encrypts data in transit and prevents unauthorized clients from connecting.

  19. Implement a Content Security Policy (CSP): Mitigate XSS.

    • Diagnosis: Lack of CSP headers.
    • Fix: Use helmet’s contentSecurityPolicy middleware.
      app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", 'https://apis.google.com'],
    // ... other directives
  },
}));
    • Why it works: Tells the browser which dynamic resources (scripts, styles, etc.) are allowed to load.

  20. Regular Security Audits: Independent reviews.

    • Diagnosis: Lack of external validation.
    • Fix: Engage third-party security firms for penetration testing and code reviews.
    • Why it works: Identifies blind spots and vulnerabilities missed by internal teams.

  21. Principle of Least Privilege: Run Node.js processes with minimal necessary permissions.

    • Diagnosis: Node.js process running as root or with excessive filesystem access.
    • Fix: Run the Node.js process under a dedicated, unprivileged user account. Use tools like setuid/setgid or containerization to enforce this.
    • Why it works: Limits the damage an attacker can do if they compromise the Node.js process.

  22. Use Buffer.from() with encoding: Avoid deprecated Buffer() constructor.

    • Diagnosis: Usage of new Buffer(string, 'base64').
    • Fix: Buffer.from(string, 'base64').
    • Why it works: The deprecated constructor could be tricked into allocating arbitrary amounts of memory, leading to DoS. Buffer.from() is safer.

  23. Sanitize Templating Engine Input: Prevent XSS in view layers.

    • Diagnosis: Direct insertion of user data into HTML templates.
    • Fix: Use auto-escaping features of templating engines like EJS, Pug, Handlebars. E.g., in EJS, <%= unsafe %> is escaped, <%- unsafe %> is not.
    • Why it works: Automatically converts special HTML characters (like <, >, &) into their entity equivalents, preventing them from being interpreted as HTML.

  24. Securely Handle JSON Web Tokens (JWT): Store them securely, use strong secrets.

    • Diagnosis: JWTs stored in localStorage, weak signing algorithms.
    • Fix: Store JWTs in httpOnly cookies. Use strong, unique secrets for signing. Avoid alg: "none". Use algorithms like HS256 or RS256.
    • Why it works: Protects session data from XSS and ensures token integrity.

  25. Protect Against SSRF (Server-Side Request Forgery): Validate URLs.

    • Diagnosis: Node.js making requests to arbitrary user-supplied URLs.
    • Fix: Use libraries like valid-url to validate URLs before making requests. Maintain an allowlist of trusted domains if possible.
    • Why it works: Prevents attackers from making your server perform requests to internal or external resources it shouldn’t access.

  26. Disable Unused Ports/Services: Reduce attack surface.

    • Diagnosis: Open ports that are not actively used by the application.
    • Fix: Configure your firewall (ufw, iptables) or cloud provider security groups to only allow necessary inbound traffic.
    • Why it works: If a port isn’t open, it can’t be attacked.

  27. Implement Logging and Monitoring: Detect and respond to incidents.

    • Diagnosis: Lack of visibility into application behavior and security events.
    • Fix: Use libraries like winston or morgan for structured logging. Integrate with monitoring tools (e.g., Prometheus, Datadog) to track security-related metrics and set up alerts.
    • Why it works: Enables early detection of attacks and provides forensic data for incident response.

  28. Secure Configuration Management: Use tools like Ansible, Chef, Puppet.

    • Diagnosis: Inconsistent or insecure server configurations.
    • Fix: Automate deployment and configuration to ensure security settings are consistently applied and maintained.
    • Why it works: Reduces human error and ensures a baseline security posture across all environments.

  29. Regularly Review Access Controls: Who can do what?

    • Diagnosis: Overly broad permissions for users or services.
    • Fix: Implement Role-Based Access Control (RBAC). Regularly audit user roles and permissions.
    • Why it works: Ensures that only authorized entities can access sensitive data or perform critical operations.

  30. Stay Informed: Follow Node.js security advisories.

    • Diagnosis: Lack of awareness about new vulnerabilities or best practices.
    • Fix: Subscribe to security mailing lists (e.g., Node.js Security WG), follow security researchers, and dedicate time for continuous learning.
    • Why it works: Proactive security requires staying ahead of emerging threats and vulnerabilities.

After implementing these, the next "problem" you’ll likely encounter is managing the complexity of security across a distributed system, which naturally leads into topics like secrets management and secure communication between microservices.

Want structured learning?

Take the full Nodejs course →