Building a REST API is straightforward, but building a secure one requires deliberate effort. Unsecured APIs are one of the most common attack vectors in web applications. In this guide, we cover the must-have security layers for every Node.js + Express API.

JWT Authentication & Authorization

JSON Web Tokens (JWTs) are the standard for stateless authentication. Upon login, the server issues a signed token that the client sends with every subsequent request. The server verifies the signature without needing to query the database on every request. Always store JWTs in `httpOnly` cookies, not localStorage, to protect against XSS attacks.

Rate Limiting

Without rate limiting, your API is vulnerable to brute-force attacks and denial-of-service. Libraries like `express-rate-limit` make it trivial to cap the number of requests an IP address can make in a given time window. It's one of the easiest and most effective security measures you can add.

Input Validation & Sanitization

Never trust user input. Use a library like `zod` or `joi` to validate the shape and type of all incoming data. Pair that with sanitization to strip potentially malicious HTML or NoSQL injection characters. This alone prevents a huge class of common vulnerabilities.

Combined with proper CORS configuration and environment variable management, these practices will make your API production-ready and resilient against the most common attack vectors.