Your Node App Isn't Secure by Default — Fix That

Set sane HTTP headers, safe CORS, and practical hardening in minutes — without turning your codebase into a security thesis.

Vectorlane

~6 min read · January 27, 2026 (Updated: January 27, 2026) · Free: No

Node.js secure defaults made practical: Helmet headers, strict CORS, cookie safety, rate limits, body limits, and production hardening you can ship today.

Let's be honest: most Node.js apps ship "working" long before they ship "safe."

You build the endpoints, connect the DB, wire auth, deploy. Then security becomes a vague future task — until a bug bounty report lands in your inbox, or your logs show weird cross-origin requests, or someone pastes an access token into a public issue by accident.

The tricky part? A lot of the highest-impact security wins aren't deep crypto problems. They're defaults. Headers you didn't set. CORS rules you left wide open. Middleware you forgot. Error messages that leak too much.

So this article is about secure defaults: the boring, repeatable baseline that makes your Node service harder to poke holes in — without slowing down development.

The "secure defaults" mindset

Security isn't one big feature. It's a hundred small decisions that compound.

A secure-default Node app typically aims for:

Least exposure (only allow the origins, methods, and data you truly need)
Clear boundaries (browser vs server rules; trusted proxy vs untrusted network)
Safe failure modes (errors don't leak, rate limits kick in, payloads are bounded)
Consistency (one shared setup across services)

If your setup depends on "remembering to do it later," it won't happen later.

Headers: the cheapest protection you'll ever add

HTTP response headers are like guardrails on a mountain road: you can drive without them… until you can't.

Use Helmet, but don't stop thinking

For Express, Helmet is the standard baseline. It sets sensible security headers and prevents you from hand-rolling a half-correct configuration.

import express from "express";
import helmet from "helmet";

const app = express();

app.use(
  helmet({
    // Keep defaults, but be explicit when you choose to relax something.
    contentSecurityPolicy: false, // enable later when you're ready to tune it
  })
);

Why CSP is off above: CSP is powerful, but it's also the header most likely to break real frontends if you enable it blindly. Start with the other headers, then come back and tighten CSP once you know what scripts/styles you load.

A practical CSP starter (when you're ready)

If you serve a UI from the same domain (not a separate CDN circus), you can begin with a conservative CSP.

app.use(
  helmet.contentSecurityPolicy({
    useDefaults: true,
    directives: {
      "default-src": ["'self'"],
      "img-src": ["'self'", "data:"],
      "script-src": ["'self'"],
      "style-src": ["'self'"],
      "object-src": ["'none'"],
      "base-uri": ["'self'"],
      "frame-ancestors": ["'none'"],
    },
  })
);

This is intentionally strict. If you need exceptions, add them one by one, and keep a short comment explaining why. That comment saves you six months later.

Don't forget the little ones

Even if you don't use Helmet, make sure you've thought about:

HSTS (only when you're fully HTTPS and behind a trusted proxy/CDN)
X-Content-Type-Options: nosniff
Referrer-Policy
Frame-ancestors / X-Frame-Options (clickjacking protection)
Permissions-Policy (reduce browser feature exposure)

Headers won't fix broken auth. But they reduce the "free attack surface" you didn't mean to offer.

CORS: the setting people copy-paste into disasters

CORS isn't a server security feature in the traditional sense. It's a browser enforcement policy. But it still matters because misconfiguring it leads to accidental data exposure, confusing failures, and "we had to open it up to make it work" moments.

Rule #1: never ship `origin: *` with credentials

If your API uses cookies or auth headers and you set permissive CORS, you're asking for trouble.

Here's a safer baseline:

import cors from "cors";

const allowlist = new Set([
  "https://app.example.com",
  "https://admin.example.com",
]);

app.use(
  cors({
    origin(origin, cb) {
      // Allow same-origin or server-to-server calls with no Origin header
      if (!origin) return cb(null, true);
      return allowlist.has(origin) ? cb(null, true) : cb(new Error("CORS blocked"), false);
    },
    methods: ["GET", "POST", "PUT", "PATCH", "DELETE"],
    allowedHeaders: ["Content-Type", "Authorization"],
    credentials: true,
    maxAge: 600,
  })
);

This does three important things:

Explicit allowlist (not vibes, not regex chaos)
Handles requests with no Origin header (common for server-to-server)
Keeps credentials intentional

Preflight failures that look like "random outages"

If your frontend suddenly fails in production but works in Postman, it's often CORS preflight. Browsers send an OPTIONS request first for certain methods/headers. If you don't handle it consistently, you get flaky behavior.

Most CORS middleware handles preflight. Just don't place it after routes that reject OPTIONS.

Cookies, sessions, and "why is this token readable in JS?"

If you use cookies for auth (session cookies, refresh tokens), set strict attributes. This is one of those "tiny config, huge impact" moments.

HttpOnly: prevents JavaScript access (reduces XSS token theft)
Secure: cookies only over HTTPS
SameSite: reduces CSRF risk

Example:

res.cookie("session", token, {
  httpOnly: true,
  secure: true,
  sameSite: "lax",
  path: "/",
  maxAge: 7 * 24 * 60 * 60 * 1000,
});

If you're using cookies across subdomains or in embedded contexts, you might need SameSite=None; Secure. But treat that as a high-risk exception, not the default.

Practical hardening: the stuff attackers love to exploit

1) Limit request bodies

Unlimited JSON bodies are an invitation for memory pain.

app.use(express.json({ limit: "200kb" }));
app.use(express.urlencoded({ extended: true, limit: "200kb" }));

Pick a limit based on your real payloads. Most APIs don't need megabytes.

2) Validate inputs (yes, even if you "trust the frontend")

You don't need to turn every route into a dissertation. But at least validate shape and types. A lightweight approach:

Validate request bodies
Validate query params
Normalize early

If you do nothing else, validate IDs and enum-like fields. It eliminates a surprising number of "impossible" bugs.

3) Avoid leaking stack traces

In production, your errors should be:

useful to you
boring to the attacker

app.use((err, req, res, next) => {
  const status = err.statusCode || 500;

  // Log full details internally
  req.log?.error({ err }, "request failed");

  // Return minimal info externally
  res.status(status).json({
    error: status >= 500 ? "Internal Server Error" : err.message,
  });
});

4) Add rate limiting where it matters

Login endpoints, OTP endpoints, password reset, and anything that triggers side effects (emails, payments, exports). A basic limiter can stop basic abuse and credential stuffing attempts from turning into a disaster.

5) Trust proxies explicitly (or don't trust them at all)

If you're behind a load balancer/CDN, set:

app.set("trust proxy", 1);

Do this only when you actually are behind a trusted proxy. Otherwise you risk spoofed IPs and incorrect HTTPS detection.

Architecture flow: how these pieces fit in a real service

A good Node.js hardening setup is not "random middleware sprinkled around." It's a deliberate request lifecycle:

Edge layer (CDN / load balancer): TLS termination, basic WAF rules, request size limits
App entry: security headers + CORS applied consistently to every response
Parsing: body limits + content type checks before heavy work
Auth: cookie/header validation + CSRF strategy (if cookie-based)
Validation: strict schemas for inputs
Routes: business logic
Error handler: safe output + rich internal logging
Abuse controls: rate limiting and anomaly signals

The idea is simple: reject bad requests early, do less work per request, and avoid accidental data leakage.

A tiny "secure defaults" Express starter

Here's a compact baseline you can paste into a new service:

import express from "express";
import helmet from "helmet";
import cors from "cors";

const app = express();

const allowlist = new Set(["https://app.example.com"]);

app.set("trust proxy", 1);

app.use(helmet());
app.use(
  cors({
    origin(origin, cb) {
      if (!origin) return cb(null, true);
      return allowlist.has(origin) ? cb(null, true) : cb(new Error("CORS blocked"), false);
    },
    credentials: true,
    methods: ["GET", "POST", "PUT", "PATCH", "DELETE"],
    allowedHeaders: ["Content-Type", "Authorization"],
    maxAge: 600,
  })
);

app.use(express.json({ limit: "200kb" }));

app.get("/health", (req, res) => res.json({ ok: true }));

app.use((err, req, res, next) => {
  const status = err.statusCode || 500;
  res.status(status).json({ error: status >= 500 ? "Internal Server Error" : err.message });
});

export default app;

Is this "perfect security"? No. But it's a dramatically better default than the blank-slate Express app most services start from.

Conclusion: security gets easier when defaults do the work

The goal isn't to make your Node.js app unhackable. The goal is to stop giving away easy wins.

Set your headers. Make CORS boring and strict. Bound your payloads. Handle errors safely. Rate limit the obvious abuse points. Then build features with less fear.

CTA: If you tell me your stack (Express/Fastify/Nest), auth style (JWT header vs cookies), and where your frontend is hosted, I'll suggest a secure-default configuration that fits your exact setup.

#nodejs #web-security #expressjs #backend-engineering #owasp