How to Secure Your Node.js API in Production — Auth, Rate Limiting, and Secrets (2026)

How to Secure Your Node.js API in Production — Auth, Rate Limiting, and Secrets (2026) | Expliq

typescript

src/validators/auth.ts

import { z } from 'zod';

export const RegisterSchema = z.object({
  email: z.string().email().max(255),
  password: z
    .string()
    .min(8, 'Password must be at least 8 characters')
    .max(128)
    .regex(/[A-Z]/, 'Must contain uppercase')
    .regex(/[0-9]/, 'Must contain a number'),
  name: z.string().min(1).max(100).trim(),
});

export const LoginSchema = z.object({
  email: z.string().email().max(255),
  password: z.string().max(128),
});

export type RegisterInput = z.infer<typeof RegisterSchema>;
export type LoginInput = z.infer<typeof LoginSchema>;

typescript

src/middleware/validate.ts

import { Request, Response, NextFunction } from 'express';
import { ZodSchema, ZodError } from 'zod';

export function validate(schema: ZodSchema) {
  return (req: Request, res: Response, next: NextFunction) => {
    const result = schema.safeParse(req.body);
    if (!result.success) {
      const errors = result.error.errors.map(e => ({
        field: e.path.join('.'),
        message: e.message,
      }));
      return res.status(400).json({ error: 'Validation failed', details: errors });
    }
    req.body = result.data;  // replace with parsed + sanitised data
    next();
  };
}

// Usage:
// app.post('/register', validate(RegisterSchema), registerHandler);

typescript

src/lib/tokens.ts

import jwt from 'jsonwebtoken';
import crypto from 'crypto';

const ACCESS_SECRET = process.env.JWT_ACCESS_SECRET!;
const REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;

if (!ACCESS_SECRET || !REFRESH_SECRET) {
  throw new Error('JWT secrets must be set in environment variables');
}

export function signAccessToken(userId: string): string {
  return jwt.sign({ sub: userId, type: 'access' }, ACCESS_SECRET, {
    expiresIn: '15m',
    algorithm: 'HS256',
    issuer: process.env.APP_URL,
  });
}

export function signRefreshToken(userId: string): string {
  return jwt.sign({ sub: userId, type: 'refresh' }, REFRESH_SECRET, {
    expiresIn: '7d',
    algorithm: 'HS256',
    issuer: process.env.APP_URL,
  });
}

export function verifyAccessToken(token: string): { sub: string } {
  return jwt.verify(token, ACCESS_SECRET, {
    algorithms: ['HS256'],   // reject 'none' and other algorithms
    issuer: process.env.APP_URL,
  }) as { sub: string };
}

export function verifyRefreshToken(token: string): { sub: string } {
  return jwt.verify(token, REFRESH_SECRET, {
    algorithms: ['HS256'],
    issuer: process.env.APP_URL,
  }) as { sub: string };
}

typescript

src/middleware/authenticate.ts

import { Request, Response, NextFunction } from 'express';
import { verifyAccessToken } from '../lib/tokens';

declare global {
  namespace Express {
    interface Request {
      userId: string;
    }
  }
}

export function authenticate(req: Request, res: Response, next: NextFunction) {
  const authHeader = req.headers.authorization;
  if (!authHeader?.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Missing or invalid Authorization header' });
  }

  try {
    const token = authHeader.slice(7);
    const payload = verifyAccessToken(token);
    req.userId = payload.sub;
    next();
  } catch {
    return res.status(401).json({ error: 'Invalid or expired token' });
  }
}

typescript

src/routes/auth.ts — Refresh Token Endpoint

// Refresh tokens delivered and stored in httpOnly cookie (not localStorage)
app.post('/auth/login', validate(LoginSchema), async (req, res) => {
  const { email, password } = req.body;
  const user = await db.users.findByEmail(email);
  if (!user || !await bcrypt.compare(password, user.passwordHash)) {
    logSecurityEvent('login_failed', req, { email });
    return res.status(401).json({ error: 'Invalid credentials' });
  }

  const accessToken = signAccessToken(user.id);
  const refreshToken = signRefreshToken(user.id);

  // Store refresh token hash in DB for rotation/revocation
  await db.refreshTokens.create({
    userId: user.id,
    tokenHash: crypto.createHash('sha256').update(refreshToken).digest('hex'),
    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
  });

  res
    .cookie('refreshToken', refreshToken, {
      httpOnly: true,   // inaccessible to JavaScript
      secure: true,     // HTTPS only
      sameSite: 'strict',
      maxAge: 7 * 24 * 60 * 60 * 1000,
    })
    .json({ accessToken });
});

app.post('/auth/refresh', async (req, res) => {
  const refreshToken = req.cookies.refreshToken;
  if (!refreshToken) return res.status(401).json({ error: 'No refresh token' });

  try {
    const payload = verifyRefreshToken(refreshToken);
    const tokenHash = crypto.createHash('sha256').update(refreshToken).digest('hex');
    const stored = await db.refreshTokens.findValid(payload.sub, tokenHash);
    if (!stored) return res.status(401).json({ error: 'Token revoked' });

    // Rotate: delete old, issue new
    await db.refreshTokens.delete(stored.id);
    const newRefresh = signRefreshToken(payload.sub);
    await db.refreshTokens.create({ userId: payload.sub, tokenHash: crypto.createHash('sha256').update(newRefresh).digest('hex'), expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000) });

    res
      .cookie('refreshToken', newRefresh, { httpOnly: true, secure: true, sameSite: 'strict', maxAge: 7 * 24 * 60 * 60 * 1000 })
      .json({ accessToken: signAccessToken(payload.sub) });
  } catch {
    res.status(401).json({ error: 'Invalid refresh token' });
  }
});

typescript

src/lib/rateLimiter.ts

import rateLimit from 'express-rate-limit';
import RedisStore from 'rate-limit-redis';
import Redis from 'ioredis';

const redis = new Redis(process.env.REDIS_URL!);

function createLimiter(options: { max: number; windowMinutes: number; prefix: string }) {
  return rateLimit({
    windowMs: options.windowMinutes * 60 * 1000,
    max: options.max,
    standardHeaders: true,
    legacyHeaders: false,
    store: new RedisStore({
      sendCommand: (...args: string[]) => redis.call(...args),
      prefix: `rl:${options.prefix}:`,
    }),
    handler: (req, res) => {
      res.status(429).json({
        error: 'Too many requests',
        retryAfter: Math.ceil(options.windowMinutes * 60),
      });
    },
  });
}

// Different limits for different endpoint sensitivity
export const globalLimiter = createLimiter({ max: 100, windowMinutes: 1, prefix: 'global' });
export const loginLimiter = createLimiter({ max: 10, windowMinutes: 15, prefix: 'login' });
export const registerLimiter = createLimiter({ max: 5, windowMinutes: 60, prefix: 'register' });
export const passwordResetLimiter = createLimiter({ max: 3, windowMinutes: 60, prefix: 'pwreset' });

typescript

src/app.ts — Applying Rate Limiters

import { globalLimiter, loginLimiter, registerLimiter } from './lib/rateLimiter';

// Global limit on all routes
app.use(globalLimiter);

// Strict limits on auth endpoints
app.post('/auth/login', loginLimiter, validate(LoginSchema), loginHandler);
app.post('/auth/register', registerLimiter, validate(RegisterSchema), registerHandler);
app.post('/auth/forgot-password', passwordResetLimiter, forgotPasswordHandler);

Option	Best For	Cost	Complexity
.env + .gitignore	Development only	Free	Low — but not for prod
Doppler	Startups, multi-environment	Free tier	Low
AWS Secrets Manager	AWS-deployed apps	~$0.40/secret/month	Medium
HashiCorp Vault	Self-hosted, enterprise	Free OSS	High
Vercel/Railway env vars	PaaS-deployed apps	Included	Very low

typescript

src/lib/config.ts — Validated Environment

import { z } from 'zod';

// Define and validate all required env vars at startup
// App crashes immediately if any are missing — better than silent failures
const EnvSchema = z.object({
  NODE_ENV: z.enum(['development', 'test', 'production']),
  PORT: z.coerce.number().default(3000),
  DATABASE_URL: z.string().url(),
  REDIS_URL: z.string().url(),
  JWT_ACCESS_SECRET: z.string().min(32),
  JWT_REFRESH_SECRET: z.string().min(32),
  APP_URL: z.string().url(),
  BCRYPT_ROUNDS: z.coerce.number().min(10).default(12),
});

const parsed = EnvSchema.safeParse(process.env);

if (!parsed.success) {
  console.error('Invalid environment configuration:');
  console.error(parsed.error.flatten().fieldErrors);
  process.exit(1);
}

export const config = parsed.data;

typescript

src/app.ts — Full Security Header Setup

import helmet from 'helmet';
import cors from 'cors';

const ALLOWED_ORIGINS = (process.env.ALLOWED_ORIGINS ?? '').split(',');

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", 'data:', 'https:'],
      connectSrc: ["'self'"],
      frameSrc: ["'none'"],
      objectSrc: ["'none'"],
    },
  },
  hsts: {
    maxAge: 31536000,          // 1 year
    includeSubDomains: true,
    preload: true,
  },
}));

app.use(cors({
  origin: (origin, callback) => {
    // Allow requests with no origin (mobile apps, curl)
    if (!origin || ALLOWED_ORIGINS.includes(origin)) {
      callback(null, true);
    } else {
      callback(new Error('CORS policy violation'));
    }
  },
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
}));

// Enforce HTTPS in production
app.use((req, res, next) => {
  if (process.env.NODE_ENV === 'production' && req.headers['x-forwarded-proto'] !== 'https') {
    return res.redirect(301, `https://${req.headers.host}${req.url}`);
  }
  next();
});

typescript

src/lib/logger.ts

import { Request } from 'express';

type SecurityEvent =
  | 'login_success' | 'login_failed'
  | 'register_success'
  | 'token_refresh' | 'token_invalid'
  | 'access_denied'
  | 'rate_limit_hit'
  | 'password_reset_requested';

export function logSecurityEvent(
  event: SecurityEvent,
  req: Request,
  meta?: Record<string, unknown>
) {
  const entry = {
    level: 'security',
    timestamp: new Date().toISOString(),
    event,
    ip: req.ip ?? req.socket.remoteAddress,
    userId: (req as any).userId ?? null,
    userAgent: req.headers['user-agent'],
    method: req.method,
    path: req.path,
    requestId: req.headers['x-request-id'],
    ...meta,
  };
  // In production, pipe to your logging service (Datadog, Logtail, CloudWatch)
  console.log(JSON.stringify(entry));
}

// Middleware: log all 4xx/5xx responses
export function responseLogger(req: Request, res: any, next: any) {
  res.on('finish', () => {
    if (res.statusCode >= 400) {
      logSecurityEvent(
        res.statusCode === 403 ? 'access_denied' : 'login_failed',
        req,
        { statusCode: res.statusCode }
      );
    }
  });
  next();
}

dockerfile

Dockerfile — Hardened Node.js

# Use specific version — not 'latest' (unpredictable, unauditable)
FROM node:22.3-alpine3.20

# Run as non-root user
RUN addgroup -g 1001 -S nodejs && adduser -S nodeapp -u 1001

WORKDIR /app

# Copy package files first for layer caching
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force

COPY --chown=nodeapp:nodejs . .

# Switch to non-root before running
USER nodeapp

EXPOSE 3000

# Use node directly — not npm start (npm has root privileges)
CMD ["node", "dist/server.js"]

yaml

.github/workflows/security.yml

name: Security Audit

on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 9 * * 1'  # Weekly Monday 9am

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '22'

      - run: npm ci

      - name: npm audit
        run: npm audit --audit-level=high

      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

How to Secure Your Node.js API in Production — Auth, Rate Limiting, and Secrets (2026)

Your API Is Public the Moment It Ships

Step 1 — Input Validation with Zod

More from Expliq

Web Application Security for Developers — OWASP Top 10 Explained With Code (2026)

Linux Server Hardening Guide for Developers — SSH, Firewall, and Fail2Ban (2026)

Step 2 — JWT Authentication Done Right

Step 3 — Rate Limiting with Redis

Step 4 — Secrets Management

Step 5 — Security Headers and HTTPS

Step 6 — Structured Security Logging

Step 7 — Dependency and Container Hardening

Complete Security Checklist

Deep tech stories, delivered weekly.