Node servers face the same threats as PHP or Java backends—injection, broken auth, sensitive data exposure, and misconfiguration. Security is layered defaults plus disciplined code.
Core defenses
- Validate input — schemas at boundaries; parameterized queries for SQL
- Authn/Authz — verify identity, then check permissions per resource
- Helmet — security headers (CSP, X-Frame-Options) in Express
- Rate limiting — slow brute-force on login routes
- Dependencies —
npm audit, lockfiles, minimal packages
Common mistakes
- Logging passwords or tokens
- Detailed stack traces in JSON error responses
- CORS set to
*with credentials - Path traversal in file download routes
Important interview questions and answers
- Q: SQL injection in Node?
A: Still possible with string concatenation—use parameterized queries (pg, mysql2, Prisma). - Q: CSRF for cookie auth?
A: SameSite cookies, CSRF tokens on state-changing forms, or use token auth without cookies.
Self-check
- Name two headers Helmet helps set.
- Why avoid * CORS with credentials?
Pitfall: Never commit .env files—use environment variables in production and rotate leaked keys immediately.
Interview prep
- Helmet and rate limiting?
Helmet sets security HTTP headers; rate limiting caps requests per IP/key to reduce brute-force and abuse—both are common Express middleware.