Skip to main content

express-best-practices

Performance

The 15 top best practices for performance in Express applications can be summarized as follows:

  1. Use Node.js built-in features for performance: Node.js includes built-in features that can help improve performance, such as the cluster module which can be used to distribute an app across multiple CPU cores【33†source】.

const cluster = require('cluster');
const totalCPUs = require('os').cpus().length;

if (cluster.isMaster) {
  for (let i = 0; i < totalCPUs; i++) {
    cluster.fork();
  }
} else {
  // Initialize server (e.g., with express)
}

  1. Set NODE_ENV to "production": This tells Express to run in production mode, which enables various performance optimizations like caching view templates and CSS files generated from CSS extensions【27†source】.
export NODE_ENV=production
node app.js

if (process.env.NODE_ENV === 'production') {
  // Perform production-only operations
}
  1. Ensure your app automatically restarts: Use a process manager like StrongLoop PM, PM2, or Forever to restart your app if it crashes. Process managers can also provide insights into runtime performance and resource consumption【31†source】【32†source】.
pm2 start app.js

  1. Run your app in a cluster: Take advantage of multi-core systems by running multiple instances of your app, ideally one per CPU core, to improve performance and reliability【33†source】.

  2. Cache request results: Caching the results of requests can prevent your app from performing the same operations repeatedly, greatly improving speed and performance【37†source】.

const cache = {};

function getFromCacheOrFetch(key, fetchFunction) {
  if (cache[key]) {
    return Promise.resolve(cache[key]);
  } else {
    return fetchFunction().then(result => {
      cache[key] = result;
      return result;
    });
  }
}

// Usage
getFromCacheOrFetch('someKey', () => someExpensiveOperation())
  .then(result => {
    // Use the result
  });

  1. Use a load balancer: To scale beyond the capacity of a single instance, use a load balancer to distribute traffic across multiple instances of your app【37†source】.

  2. Use a reverse proxy: Running Express behind a reverse proxy like Nginx or HAProxy can improve performance by offloading tasks like error handling, compression, and load balancing【37†source】.

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

  1. Do logging correctly: Avoid synchronous logging and use logging levels to control the verbosity and performance impact of logging operations.

const { createLogger, format, transports } = require('winston');

const logger = createLogger({
  level: 'info',
  format: format.combine(
    format.timestamp(),
    format.json()
  ),
  transports: [
    new transports.Console(),
    new transports.File({ filename: 'combined.log' })
  ]
});

logger.info('Informational message');


  1. Handle exceptions properly: Avoid using uncaughtException to keep a process running after an exception and instead ensure robust error handling and use supervisors to restart the app【27†source】.
process.on('uncaughtException', (err) => {
  console.error('There was an uncaught error', err);
  process.exit(1); // exit application
});

// Rest of your application code


  1. Use try-catch for synchronous code: This can help manage exceptions in synchronous blocks, but it won't catch errors in asynchronous code【27†source】.
try {
  // Synchronous code that may throw errors
  const result = someSynchronousOperation();
  console.log(result);
} catch (error) {
  console.error('Error caught:', error);
}

async function someAsyncOperation() {
  try {
    const result = await asyncFunctionThatMightFail();
    console.log(result);
  } catch (error) {
    console.error('Async error caught:', error);
  }
}

  1. Use promises for asynchronous error handling: Promises can catch both explicit and implicit exceptions in asynchronous code when using .then() and .catch() chaining【27†source】.

  2. Optimize middleware: Be selective with middleware and only use what's necessary, as each piece adds to the request processing time.

  3. Compress your files: Use compression middleware like compression to reduce the size of the response body and thus improve the speed of a web app.

  4. Optimize database use: Ensure efficient database queries and use indexing to speed up data retrieval.

  5. Conduct stress testing: Test how your application behaves under high loads to identify and fix bottlenecks before they impact users in production.

These practices encompass coding patterns, configuration settings, and architectural decisions that can significantly affect the performance and reliability of an Express application. Implementing them can lead to a more efficient and stable application, capable of handling high loads and minimizing downtime.

Security

Here are the top 15 best security practices for Express in a Node.js environment:

  1. Don’t Use Deprecated or Vulnerable Versions of Express: Avoid using Express versions that are no longer maintained, such as 2.x and 3.x. Always update to the latest stable release【46†source】.

  2. Use TLS (Transport Layer Security): Secure your app by encrypting data transmitted between the client and server, thus preventing many common attacks such as packet sniffing and man-in-the-middle attacks【47†source】.

  3. Use Helmet: Helmet helps protect your app from several well-known web vulnerabilities by setting HTTP headers appropriately, like Content-Security-Policy and X-Frame-Options【48†source】.

  4. Reduce Fingerprinting: Disable the X-Powered-By header to make it harder for attackers to identify that your server is running Express, which can discourage casual exploits【49†source】.

  5. Custom Error Handlers: Modify default error messages to prevent attackers from gaining insights into the underlying architecture through error messages【50†source】.

  6. Use Cookies Securely: Avoid using the default session cookie name and set secure cookie options like httpOnly and secure flags to protect against attacks such as cross-site scripting【58†source】.

  7. Prevent Brute-force Attacks Against Authorization: Use packages like rate-limiter-flexible to block authorization attempts after a certain number of failed attempts by username/IP or from an IP over a given time period【54†source】.

  8. Ensure Your Dependencies Are Secure: Regularly perform security audits on your dependencies using tools like npm audit and stay updated with security advisories【54†source】.

  9. Avoid Other Known Vulnerabilities: Keep informed about vulnerabilities that may affect Express or its modules by following databases like Node Security Project or Snyk【54†source】.

  10. Filter and Sanitize User Input: Protect against XSS and command injection attacks by sanitizing user inputs【58†source】.

  11. Defend Against SQL Injection: Use parameterized queries or prepared statements to prevent SQL injection attacks【58†source】.

  12. Use Open-source Tools for Security Testing: Tools like sqlmap, nmap, and sslyze can be used to detect SQL injection vulnerabilities and test SSL configurations【58†source】.

  13. Ensure Safe Regular Expressions: Use safe-regex to prevent regular expression denial of service attacks【58†source】.

  14. Session Management: Utilize modules like express-session or cookie-session for managing sessions securely. For express-session, ensure a scalable session-store in production. For cookie-session, remember that session data is visible to the client【54†source】.

  15. Additional Security Plugins and Configurations: Consider additional security measures like rate-limiting, input validation, output encoding, and CSP (Content Security Policy) to protect against a variety of web-based attacks【58†source】.

These practices are essential to enhance the security posture of your Express applications and protect against common vulnerabilities and exploits.