Express Best Practices
A condensed summary of the 25 most important Express practices for Node.js teams - drawn from every page in this section.
-
Use Express 5 on Node 24 LTS: Native async error handling removes wrapper boilerplate - Express 5 Migration.
-
Thin routes, fat services: Route handlers parse, call service, return response. No SQL in routes.
-
Register
express.json()before routes: Emptyreq.bodyis the top Express bug - Middleware Ordering. -
Set body size limits:
express.json({ limit: "1mb" })prevents payload attacks. -
Trust proxy with hop count: Not
true- prevents IP spoofing - Reverse Proxy Awareness. -
Rate limit after trust proxy: Otherwise all clients share the load balancer IP.
-
Use helmet on every public API: Security headers are free hardening - Security Middleware.
-
Configure CORS with explicit origins: Never
origin: *withcredentials: true. -
Stricter rate limits on auth endpoints: 10 attempts per 15 minutes on login.
-
Four-argument error middleware last: Catches throws and rejected promises - Error Handling in Express.
-
Custom
AppErrorclass with status codes: Consistent 404/422/500 responses. -
Never expose stack traces to clients: Log server-side, return generic 500 message.
-
404 catch-all before error handler: Unknown routes need explicit handling.
-
Scope auth to protected routers:
/healthand webhooks stay public. -
Use
Routerper domain:/users,/ordersin separate files. -
Disable
x-powered-by:app.disable("x-powered-by"). -
Set server timeouts:
keepAliveTimeout,headersTimeout,requestTimeouton underlying server. -
Graceful shutdown on SIGTERM: Close server before exit for zero-downtime deploys.
-
Validate input with Zod at the boundary: Before service layer, not inside.
-
Use
res.status(n).json()notres.send(status): Express 5 removed the old pattern. -
Wildcard routes use
/*splatsyntax: Express 5 breaking change from/*. -
Profile before switching to Fastify: Database is usually the bottleneck - Performance on Express.
-
Environment config via
process.env+ schema: Not hardcoded ports or secrets. -
Integration tests with supertest: Test middleware order and error shapes.
-
Document API error contract in OpenAPI: Error middleware output must match spec.
FAQs
What is the most common Express production bug?
Middleware ordering: body parser after routes, or rate limiter before trust proxy. Fix the order before optimizing anything else.
Express or Fastify for a new API in 2026?
Express if the team knows it and throughput is adequate. Fastify if you want schema validation and higher baseline performance. See Fastify vs Express ADR.
Should I use TypeScript with Express?
Yes. Type Request extensions for userId and validated body shapes. See Typing Express & Fastify Handlers.
How do I structure folders?
src/routes/, src/services/, src/middleware/, src/app.ts, src/server.ts. One router file per domain.
Is express-generator still relevant?
Use it as a reference, not a production template. Modern apps need TypeScript, ESM, and structured error handling from day one.
Related
- Express Basics - getting started
- Middleware Ordering - registration sequence
- Fastify Best Practices - alternative framework
- API Design Basics - API conventions
- Framework Selection Checklist - framework ADR
Stack versions: This page was written for Node.js 24.18.0 (Active LTS), npm 10+, TypeScript 5.6+, Express 5, Fastify 5, and NestJS 11.