How to Create a Secure REST API in Node.js

Tips to create REST API in Node.js

In today’s interconnected world, building secure APIs is of paramount importance. Whether you are developing a web application, a mobile app, or integrating services, ensuring the security of your REST API is crucial to protect your data and your users’ privacy. Node.js, with its robust ecosystem and community support, is a popular choice for building RESTful APIs.  

In this blog post, we will explore how to create a secure REST API in Node.js.

1. Choose a Reliable Framework

Selecting a well-maintained and secure framework is the first step in building a secure REST API. Express.js is a popular choice in the Node.js community for its simplicity and flexibility. However, be sure to keep your chosen framework and its dependencies up to date to mitigate known security vulnerabilities.

2. Use HTTPS

Always use HTTPS to encrypt data transmitted between the client and the server. You can obtain SSL/TLS certificates from certificate authorities or use services like Let’s Encrypt for free certificates. Configure your Node.js server to use HTTPS by utilizing packages like https or an HTTP proxy like Nginx or Apache.

3. Authentication and Authorization

Implement strong authentication and authorization mechanisms to ensure that only authorized users can access your API. Popular authentication strategies include JSON Web Tokens (JWT), OAuth, and session-based authentication. Ensure that passwords are securely hashed and salted when stored in your database.

4. Input Validation

Validate all incoming data to prevent malicious input from causing security vulnerabilities. Use libraries like express-validator or joi to validate request parameters, body, and headers. Sanitize user inputs to protect against cross-site scripting (XSS) attacks.

5. SQL Injection Prevention

When interacting with a database, use parameterized queries or an Object-Relational Mapping (ORM) library like Sequelize or TypeORM to prevent SQL injection attacks. Avoid building SQL queries by concatenating user input.

6. Cross-Site Scripting (XSS) Protection

To prevent XSS attacks, sanitize user-generated content, and implement content security policies (CSP) that restrict the sources of executable scripts and resources. Libraries like helmet can help you set appropriate security headers.

7. Rate Limiting

Implement rate limiting to prevent abuse of your API through excessive requests. You can use libraries like express-rate-limit to set limits on the number of requests a client can make within a specified time frame.

8. Logging and Monitoring

Keep detailed logs of API activities, errors, and security-related events. Use tools like Winston or Morgan for logging and set up monitoring and alerting systems to detect suspicious activities and potential security breaches.

9. Keep Dependencies Updated

Regularly check for updates to your project’s dependencies and apply security patches promptly. Vulnerabilities in dependencies can be exploited to compromise your API’s security. 

Creating the User Module 

We’ll use Mongoose to define the user model within the user schema. First, define the schema in /users/models/users.model.js: 

javascriptCopy code 

const userSchema = new Schema({ firstName: String, lastName: String, email: String, password: String, permissionLevel: Number });  

Attach this schema to the user model: 

javascriptCopy code 

const userModel = mongoose.model('Users', userSchema);  

Now, you can implement CRUD operations in Express.js endpoints. Start with the “create user” operation: 

javascriptCopy code'/users', [ UsersController.insert ]);  

In the controller (/users/controllers/users.controller.js), hash the password appropriately: 

javascriptCopy code 

exports.insert = (req, res) => { let salt = crypto.randomBytes(16).toString

('base64'); let hash = crypto.createHmac('sha512', salt) .update(req.body.password) .digest("base64"); req.body.password = salt + "$" + hash; req.body.permissionLevel = 1; UserModel.createUser(req.body) .then((result) => { res.status(201).send({id: result._id}); }); };  

Test this by running the Node.js API server and sending a POST request with JSON data. 

Next, implement the “get user by id” feature: 

javascriptCopy code 

app.get('/users/:userId', [ UsersController.getById ]);  

In the controller: 

javascriptCopy code 

exports.getById = (req, res) => { UserModel.findById(req.params

.userId).then((result) => { res.status(200).send(result); }); };  

Similarly, add the functionality to update the user and list all users. For example: 

javascriptCopy code 

app.get('/users', [ UsersController.list ]);  

In the controller, handle user listing: 

javascriptCopy code 

exports.list = (req, res) => { // ... UserModel.list(limit, page).then((result) => { res.status(200).send(result); }) };  

Finally, implement the DELETE operation: 

javascriptCopy code 

app.delete('/users/:userId', [ UsersController.removeById ]);  

In the controller: 

javascriptCopy code 

exports.removeById = (req, res) => { UserModel.removeById(req.params

.userId) .then((result)=>{ res.status(204).send({}); }); };  

Creating the Auth Module 

Before securing the user module, create an endpoint for POST requests to /auth: 

javascriptCopy code'/auth', [ VerifyUserMiddleware.hasAuthValid

Fields, VerifyUserMiddleware.isPassword

AndUserMatch, AuthorizationController.login ]);  

In the controller, generate a JWT: 

javascriptCopy code 

exports.login = (req, res) => { // ... res.status(201).send({accessToken: token, refreshToken: refresh_token}); };  

Creating Permissions and Validations Middleware 

Define who can access the user resource: 

Public access for user registration. 

Private access for logged-in users and admins to update their profiles. 

Admin access to remove user accounts. 

To enforce these permissions, create middleware for JWT validation: 

javascriptCopy code 

exports.validJWTNeeded = (req, res, next) => { // ... };  

Also, implement middleware for checking minimum required permission levels: 

javascriptCopy code 


Required = (required_permission_level) => { // ... };  

Now, apply the authentication middleware to user module routes: 

javascriptCopy code 

app.get('/users', [ ValidationMiddleware.validJWT

Needed, PermissionMiddleware.minimum

PermissionLevelRequired(PAID), UsersController.list ]);  

Repeat this pattern for other user module routes. 

Running and Testing with Insomnia 

Insomnia is a useful REST client for testing APIs. To create a user, make a POST request with the required fields to the appropriate endpoint. Store the generated ID for future use. The API will respond with the user ID. 

Generate a JWT by making a POST request to /auth with valid user credentials (email and password). Use this token to make authenticated requests. 

In Insomnia, configure your request headers with an Authorization key in the format Bearer <JWT>. This format is essential for secure access. 


Creating a secure REST API in Node.js involves multiple layers of protection. By following the best practices, you can significantly reduce the risk of security breaches and protect your users’ data. Remember that security is an ongoing process, and staying informed about the latest security threats and best practices is essential to maintain the integrity of your API. 

Building a secure REST API is not just a technical requirement but also a responsibility towards your users and the data they trust you with. So, invest the time and effort needed to ensure the security of your Node.js REST API from the ground up. 

SkillGigs, an AI-based talent marketplace can help you get high paying IT jobs. Candidates can bid for jobs like front-end developer, software engineer among others on the platform as per their preferences. Check out most in-demand IT jobs here.  

Get High Paying IT Gigs


Sign up for SkillGigs Newsletter and Stay Ahead of the Curve

Subscribe today to get the latest healthcare industry updates