Skip to main content

Production Best Practices

Performance and Reliability

  • Use gzip compression

  • Use the compression middleware for gzip compression in your Express app. For example:

    const compression = require("compression");
    const express = require("express");
    const app = express();
    app.use(compression());

  • Don’t use synchronous functions

  • Handle exceptions properly

  • To ensure you handle all exceptions, use the following techniques:

    • Use try-catch
      app.get("/search", function(req, res) {
        // Simulating async operation
        setImmediate(function() {
          const jsonStr = req.query.params;
          try {
            const jsonObj = JSON.parse(jsonStr);
            res.send("Success");
          } catch (e) {
            res.status(400).send("Invalid JSON string");
          }
        });
      });
    • Use promises
    app.get("/", function(req, res, next) {
      // do some sync stuff
      queryDb()
        .then(function(data) {
          // handle data
          return makeCsv(data);
        })
        .then(function(csv) {
          // handle csv
        })
        .catch(next);
    });

    app.use(function(err, req, res, next) {
      // handle error
    });

  • Setting NODE_ENV to “production” makes Express:

    • Cache view templates.
    • Cache CSS files generated from CSS extensions.
    • Generate less verbose error messages.

  • Ensure your app automatically restarts

  • Run your app in a cluster

  • Cache request results

  • Use a load balancer

  • Use a reverse proxy

Security

  • Security best practices for Express applications in production include:
    • Don’t use deprecated or vulnerable versions of Express
    • Use TLS
    • Use Helmet
    • Use cookies securely
    • Prevent brute-force attacks against authorization
    • Ensure your dependencies are secure
    • Avoid other known vulnerabilities
    • Additional considerations

Website security threats

  • Cross-Site Scripting (XSS) is a class of attacks that allow an attacker to inject client-side scripts through the website into the browsers of other users
  • SQL injection enables malicious users to execute arbitrary SQL code on a database, allowing data to be accessed, modified, or deleted irrespective of the user's permissions
  • Cross-Site Request Forgery (CSRF) attacks allow a malicious user to execute actions using the credentials of another user without that user’s knowledge or consent
  • Denial of Service (DoS) is usually achieved by flooding a target site with fake requests so that access to a site is disrupted for legitimate users.

Resources