Node.js Security Checklist: 28 Essential Steps

Never store plaintext passwords. Use bcrypt with a cost factor of 12+ or Argon2id (preferred). Both are designed to be computationally expensive, making brute-force attacks impractical. Never use MD5, SHA-1, or SHA-256 for passwords — they are too fast.

Set JWT access token expiration to 15 minutes maximum. Use refresh tokens stored in httpOnly cookies with longer expiration. Implement token rotation — issue a new refresh token with each use and invalidate the old one to detect token theft.

Limit login attempts to 5-10 per minute per IP and per account. Use `rate-limiter-flexible` with Redis for distributed rate limiting. Implement progressive delays (1s, 2s, 4s, 8s) after failed attempts. This prevents credential stuffing and brute-force attacks.

Use middleware to verify JWT tokens and check user roles/permissions before processing requests. Never rely on client-side route protection alone — attackers can call your API directly. Test authorization with tools like Burp Suite or custom scripts.

If using cookies for authentication, implement CSRF tokens using the double-submit cookie pattern or the synchronizer token pattern. Libraries like `csurf` (for Express) or built-in CSRF protection in frameworks like Fastify handle this. SameSite=Strict cookies add defense in depth.

Use Zod, Joi, or Yup to validate request body, query parameters, URL parameters, and headers. Define strict schemas that reject unexpected fields. Never trust client input — validate on the server even if you validate on the client.

Never concatenate user input into SQL strings. Use parameterized queries (`$1`, `?` placeholders) with your database driver or an ORM like Prisma, Drizzle, or Knex. Even a single unparameterized query is a complete database compromise waiting to happen.

Sanitize query objects to prevent operator injection. An attacker sending `{ '$gt': '' }` as a password field bypasses authentication. Use `mongo-sanitize` or validate that input values are strings/numbers, never objects.

Use DOMPurify or sanitize-html when rendering user-generated content. Set Content-Type headers correctly. In template engines, use auto-escaping (enabled by default in EJS, Pug, Handlebars). Never insert raw user input into HTML, JavaScript, or CSS contexts.

Never pass user input to `exec()` or `spawn()` with shell option. Use `execFile()` with argument arrays instead of string concatenation. If shell execution is necessary, use a strict allowlist of permitted commands and arguments.

Set `express.json({ limit: '100kb' })` and configure file upload limits with Multer or Busboy. Without limits, attackers can exhaust server memory with massive payloads. Set limits appropriate to your use case — most API requests should be under 1MB.

Install `helmet` middleware to set secure defaults for 15+ HTTP headers. It configures Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and more. Customize the defaults for your specific needs rather than starting from scratch.

Define a strict CSP that whitelists only trusted script and style sources. Start with `default-src 'self'` and add exceptions as needed. Use `report-uri` or `report-to` to catch violations before they affect users. Test with CSP Evaluator (csp-evaluator.withgoogle.com).

Use the `cors` package with an explicit allowlist of origins. Never use `origin: '*'` in production for APIs that use cookies or authentication. Validate the Origin header against your allowlist and return the matching origin, not a wildcard.

Set `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`. This tells browsers to always use HTTPS. After testing, submit your domain to the HSTS preload list (hstspreload.org) for permanent HTTPS enforcement.

Set all cookies with `Secure` (HTTPS only), `HttpOnly` (no JavaScript access), `SameSite=Strict` or `Lax`, and appropriate `Path` and `Domain`. Use `__Host-` prefix for cookies that should only be set by the host and sent over HTTPS.

Execute `npm audit` and address all high and critical severity issues. Use `npm audit fix` for compatible patches. For breaking changes, evaluate if the vulnerable code path is actually used in your application before upgrading.

Use GitHub Dependabot, Snyk, or Socket.dev to scan for vulnerable dependencies on every PR and get alerts for new vulnerabilities in existing dependencies. Automated scanning catches issues between manual audits.

Commit your `package-lock.json` or `bun.lockb` and use `npm ci` (not `npm install`) in CI. This ensures reproducible builds and prevents unexpected updates. Unlocked dependencies can silently introduce vulnerable or malicious code.

Before `npm install`, check the package on npmjs.com for maintenance activity, download counts, and open issues. Use Socket.dev to detect supply chain risks like install scripts, network access, or obfuscated code. One malicious package compromises everything.

Run `npx depcheck` to find packages in package.json that are never imported. Unused dependencies increase your attack surface without providing value. Each dependency is code you did not write running with your application's permissions.

In production, return generic error messages to API clients (`Internal Server Error`) and log the full error details server-side. Stack traces reveal file paths, dependency versions, and internal logic that attackers use to find vulnerabilities.

Use Pino or Winston for structured JSON logging. Configure redaction for passwords, tokens, credit card numbers, and PII. Use log levels (error, warn, info, debug) and only enable debug in non-production environments.

Never commit API keys, database passwords, or JWT secrets to source control. Use environment variables, a secrets manager (AWS Secrets Manager, HashiCorp Vault), or encrypted .env files. Add `.env` to `.gitignore` and verify it is not tracked.

Run your Node.js process as a non-root user in Docker. Set `USER node` in your Dockerfile. Restrict file system access to only required directories. Use Node.js permission model (--experimental-permission) for fine-grained control in Node 20+.

Implement a `/health` endpoint that checks database connectivity and critical services. Handle SIGTERM and SIGINT signals to close database connections, finish in-flight requests, and exit cleanly. Graceful shutdown prevents data corruption during deployments.

Set up alerts for unusual patterns: spike in 401/403 responses, many requests from a single IP, unexpected outbound network calls, or CPU/memory spikes. Use a SIEM or application monitoring tool to correlate events and detect attacks in progress.

Run the latest LTS version of Node.js and update promptly when security patches are released. Subscribe to the Node.js security mailing list. EOL Node.js versions receive no security patches, leaving known vulnerabilities unpatched indefinitely.