Safeguard
Tag

express

Safeguard articles tagged "express" — guides, analysis, and best practices for software supply chain and application security.

10 articles

Application Security

Implementing HSTS correctly in Node.js and Express

HSTS has one header and three flags, yet a misconfigured includeSubDomains or a premature preload submission can take a domain offline for months.

Jul 15, 20266 min read
Application Security

Choosing a secure Node.js web framework: Express, Fastify, Koa, and NestJS compared

None of Express, Fastify, Koa, or NestJS enable security headers, CSRF protection, or input validation by default — the defaults you inherit differ more than you'd think.

Jul 14, 20266 min read
Application Security

Mass assignment in Node, Express, and Mongoose apps

One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.

Jul 14, 20266 min read
Application Security

The Security Implications of Misconfigured CORS in Node.js APIs

One line of Express middleware — reflecting Origin back with credentials: true — turns CORS from a browser protection into an authenticated data-exfiltration channel.

Jul 8, 20266 min read
Application Security

CSRF in Node.js: attack mechanics and modern mitigation

Express has never shipped CSRF protection in core, and its most popular middleware, csurf, was archived in 2022 — here's what actually replaces it.

Jul 8, 20267 min read
Security Guides

Securing Express Applications: A Layered Playbook

Express gives you almost no security by default. This playbook layers the middleware, headers, rate limits, session hardening, and input validation that turn a bare Express app into a defensible one — with Express 5 in mind.

Jul 4, 20265 min read
Security Guides

Express.js Security Guide (2026)

Express is the default web framework for Node.js — and a small, deep dependency tree that has produced open-redirect, XSS, and ReDoS CVEs. Here is how to run Express safely in 2026.

Jul 2, 20266 min read
Vulnerability Analysis

Express qs library prototype pollution DoS (CVE-2022-24999)

CVE-2022-24999 lets attackers pollute Object.prototype through qs, the query-string parser Express relies on, crashing Node.js applications.

Jan 6, 20267 min read
Dev Practices

Node.js Backend Security Checklist

A working checklist for securing a Node.js backend: dependency hygiene, input validation, secrets, HTTP headers, and the CI gates that keep regressions out.

Mar 18, 20256 min read
Application Security

Express and Node.js Security Hardening

Practical security hardening for Express.js applications covering middleware, input validation, and production deployment.

Jan 12, 20244 min read
express — Safeguard Blog