1 article with this tag
Express is minimalist — it ships almost no security features by default, so the defenses are ones the developer adds. The essentials: (1) security headers (helmet-style), (2) input validation and sanitization, (3) authorization scoped to the owner, not just authentication, (4) rate limiting (brute-force / DoS), (5) dependency (npm) CVE monitoring and fast patching. Plus SSRF protection for outbound URL fetches and secrets kept in env, out of code. The freedom of a minimal framework comes with the responsibility to defend.