Express JS Advanced
Interview Questions with Answers
Explore Our Courses
1. What makes Express.js a minimal and unopinionated framework compared to others like NestJS or Django?
Express gives you just the HTTP primitives you need—routing, middleware composition, and request/response helpers—without enforcing architecture, directory layout, ORMs, or DI containers. NestJS layers conventions and patterns (modules, providers, controllers, dependency injection) on top of Express/Fastify, while Django ships batteries-included choices (ORM, templating, admin, migrations). With Express, you choose the view engine, validation, data layer, security stack, and project structure. That minimal surface lets small services stay tiny and lets larger systems evolve their own conventions when teams are ready.
2. How does the next() function control middleware execution flow?
next() transfers control to the next matching middleware/route in the stack. Calling next(err) skips remaining non-error middleware and jumps directly to the first error handler. If a middleware ends the response (e.g., res.send()), it should not call next() afterward; doing both can trigger “headers already sent” errors. Conditional branching is often implemented by deciding whether to respond now or call next() for later handlers.
Lorem Ispum
3. How does Express handle the request–response lifecycle internally?
Express wraps Node’s http server. For each incoming request, it builds req/res objects and walks a stack of functions registered via app.use() and HTTP verb methods. Each function receives (req, res, next).
If it sends a response (e.g., res.send(), res.json(), res.end()), the lifecycle ends. Otherwise it calls next() to continue down the stack until a matching route is found. Errors passed to next(err) short-circuit into the first error handler (err, req, res, next). If nothing handles the request, Express falls through to a 404 handler.
4. What is the role of the app.listen() method in Express?
app.listen() creates and starts the underlying Node http.Server and begins accepting connections on the given port/host. It returns the server instance, which you can use to attach sockets, close gracefully, or integrate with HTTP/2 or TLS at a lower level.
const server = app.listen(process.env.PORT || 3000, () => {
console.log('Listening…');
});
// graceful shutdown
process.on('SIGTERM', () => server.close(() => process.exit(0)));In tests, prefer exporting app and calling request(app) (Supertest) so you don’t bind a real port.
5. How do route handlers differ from middleware in Express?
Both are functions in the same pipeline, but route handlers are tied to an HTTP method and path (app.get(‘/users’, handler)), while middleware may apply globally or to a subset of paths (app.use(‘/admin’, auth)). Middleware usually performs cross-cutting concerns (auth, parsing, logging, validation) and then either terminates the response or calls next(). Route handlers are typically the terminal functions that produce the business response. You can also chain multiple handlers, mixing middleware and route logic:
app.get('/orders/:id', auth, validateId, async (req, res) => {
const order = await repo.get(req.params.id);
res.json(order);
});6. How does Express handle routing differently from Node.js native HTTP module?
With Node’s http module you inspect req.url and req.method, parse the path, and branch manually. Express builds a routing layer with method helpers (get, post, etc.), path patterns (/users/:id), and params extraction (req.params). It also composes per-route middleware and supports routers for modularity. This removes boilerplate and makes routing declarative.
// Node http (manual)
if (req.method === 'GET' && req.url.startsWith('/users/')) { /* parse id */ }
// Express (declarative)
app.get('/users/:id', (req, res) => res.json({ id: req.params.id }));
7. What are different types of middleware in Express (application, router, error-handling, built-in, third-party)?
Application-level middleware attaches to the app and can target all routes or a base path:
app.use(require('morgan')('combined')); // logging
app.use('/admin', authMiddleware);
Router-level middleware attaches to an express.Router() instance and affects only its routes:
const router = require('express').Router();
router.use(rateLimit());
router.get('/me', meHandler);
app.use('/api', router);
Error-handling middleware has four args (err, req, res, next) and centralizes error responses:
app.use((err, req, res, next) => res.status(err.status||500).json({ error: err.message }));Built-in middleware includes express.json(), express.urlencoded(), and express.static().
Third-party middleware covers concerns like security (helmet), CORS (cors), rate limiting (express-rate-limit), sessions (express-session), compression (compression), and logging (morgan, pino-http).
8. What happens if you forget to call next() in middleware?
If you neither send a response nor call next(), the request hangs until it times out because the pipeline never completes. This is a common source of “stuck” requests. In async code, unhandled promise rejections or early returns can cause the same symptom.
A robust pattern is a tiny async wrapper:
const asyncH = fn => (req, res, next) => Promise.resolve(fn(req, res, next)).catch(next);
Then wrap async middlewares and handlers to ensure thrown errors reach the error pipeline.
9. How do you implement conditional middleware execution in Express?
Gate the call to next() based on conditions, or mount middleware only on specific routes/paths. You can also write higher-order middleware that returns a middleware configured by options.
function requireRole(role) {
return (req, res, next) => {
if (req.user?.role === role) return next();
return res.status(403).json({ error: 'Forbidden' });
};
}
app.get('/admin', auth, requireRole('admin'), handler);
Or short-circuit for health checks without logging/auth:
app.use((req, res, next) => {
if (req.path === '/health') return res.send('ok');
next();
});10. How do you organize and scale middleware in large Express applications?
Separate concerns and control order explicitly. Common production pattern:
- Global infrastructure middlewares first: helmet, cors, compression, request ID, logging.
- Parsers: express.json(), express.urlencoded(), cookie/session if used.
- Authentication and authorization: token decoding, sessions, RBAC.
- Request validation: schema validators that reject bad inputs early.
- Routers by domain: app.use(‘/users’, usersRouter), each with its own router-level middlewares.
- Not-found handler: final 404 middleware.
- Central error handler: one place to format and log errors.
Use a layered folder structure so middleware is reusable and testable:
src/
middlewares/
security/
helmet.js
cors.js
logging/
requestLogger.js
errorLogger.js
auth/
decodeToken.js
requireRole.js
validation/
validate.js
routes/
users.routes.js
orders.routes.js
app.js
Prefer composable factories that accept config (e.g., allowed origins, roles). Write small, single-purpose middlewares and compose them per router. Add correlation IDs and structured logging (pino-http) so you can trace through the chain in production. Finally, enforce order in app.js, and cover the pipeline with integration tests so refactors don’t break flow.
11. How does Express handle dynamic routes (e.g., /users/:id)?
Express compiles path patterns (via path-to-regexp) and extracts dynamic segments into req.params. You define placeholders with a leading colon; Express matches the segment and populates it as a string.
app.get('/users/:id', async (req, res) => {
const { id } = req.params; // e.g., "/users/42" -> "42"
const user = await repo.findById(id);
if (!user) return res.status(404).json({ error: 'Not found' });
res.json(user);
});You can also use regex and optional segments (/files/:name.:ext?) and multiple params (/orgs/:org/users/:user).
12. What is the difference between app.use() and app.all()?
app.use() registers middleware for any HTTP method and matches by path prefix. It doesn’t end the response unless your middleware does so; typically you call next() to continue.
app.use('/admin', authMiddleware); // applies to /admin and any subpathapp.all() registers a route handler for all HTTP methods but an exact path (not a prefix). It’s useful for method-agnostic endpoints or to normalize handling.
app.all('/health', (req, res) => res.send('ok')); // matches GET, POST, etc. on /health only13. How do you implement sub-apps or modular routers in Express?
Prefer express.Router() for modular routing; mount routers under a base path. For completely isolated “sub-apps”, you can create a child express() instance and mount it—Express exposes mountpath and app.parent.
// routers/users.js
const { Router } = require('express');
const router = Router();
router.get('/', listUsers);
router.post('/', createUser);
module.exports = router;
// app.js
const usersRouter = require('./routers/users');
app.use('/api/users', usersRouter);
// sub-app (rarer but supported)
const adminApp = express();
adminApp.get('/dashboard', dashboardHandler);
app.use('/admin', adminApp);
Routers are the idiomatic choice: lighter, testable, and easy to compose.
14. How do you design RESTful APIs using Express routing?
Model resources with plural nouns and map CRUD through HTTP verbs. Return appropriate status codes and consistent JSON error shapes. Support filtering, sorting, pagination, and include Location for newly created resources.
app.get('/api/products', list); // 200
app.post('/api/products', validate(body), create); // 201 + Location
app.get('/api/products/:id', show); // 200 or 404
app.patch('/api/products/:id', updatePartial); // 200/204
app.delete('/api/products/:id', destroy); // 204Layer validation/auth as middleware. Keep controllers thin; delegate to services. Prefer idempotent PUT and safe GET. Consider ETags and conditional requests for cache-friendliness.
15. How do you implement versioning in Express APIs?
Common patterns are path, header, or subdomain. Path versioning is simplest and cache-friendly.
// Path versioning
app.use('/api/v1', v1Router);
app.use('/api/v2', v2Router);
// Media type versioning (Accept header)
app.use('/api', (req, res, next) => {
const v = req.headers['accept']?.includes('v=2') ? 'v2' : 'v1';
return (v === 'v2' ? v2Router : v1Router)(req, res, next);
});
Document deprecations, set sunset timelines, and avoid breaking changes within a version.
16. How does Express handle JSON, form, and multipart data?
Use built-in body parsers for JSON and URL-encoded forms, and a library like Multer (or Busboy/Formidable) for multipart.
app.use(express.json()); // application/json
app.use(express.urlencoded({ extended: true })); // application/x-www-form-urlencoded
const multer = require('multer'); // multipart/form-data
const upload = multer({ dest: 'uploads/' });
app.post('/upload', upload.single('file'), (req, res) => {
res.json({ name: req.file.originalname, size: req.file.size });
});
Order matters: parsers should be mounted before routes that need them.
17. How do you parse raw request bodies in Express?
Use express.raw() for specific content types, or capture the raw buffer via a verify hook for signature checks (e.g., Stripe webhooks).
// Raw bytes for a custom type
app.use('/binary-endpoint', express.raw({ type: 'application/octet-stream', limit: '5mb' }), (req, res) => {
const buf = req.body; // Buffer
// process bytes…
res.sendStatus(204);
});
// Preserve raw body alongside JSON parsing (signature verification)
app.use(express.json({
verify: (req, res, buf) => { req.rawBody = buf; }
}));
Alternatively, raw-body works too, but express.raw() is built-in and fast.
18. How do you send file downloads in Express?
Use res.download() for attachments or res.attachment() + res.sendFile() for more control. Stream from disk to avoid loading large files into memory.
const path = require('path');
app.get('/reports/:name', (req, res, next) => {
const filePath = path.join(__dirname, 'reports', req.params.name);
res.download(filePath, err => err && next(err));
});
For dynamic content, set headers yourself:
res.set('Content-Type', 'text/csv');
res.set('Content-Disposition', 'attachment; filename="export.csv"');
res.send(csvString);19. How do you handle streaming responses in Express?
Pipe Node streams to the response for large payloads, server-sent events, or proxies. Always handle errors and backpressure.
// Stream a large file
const fs = require('fs');
app.get('/big-file', (req, res, next) => {
res.type('application/pdf');
const stream = fs.createReadStream('big.pdf');
stream.on('error', next);
stream.pipe(res);
});
// Server-Sent Events (SSE)
app.get('/events', (req, res) => {
res.set({
'Content-Type': 'text/event-stream',
'Cache-Control': 'no-cache',
'Connection': 'keep-alive'
});
res.flushHeaders();
const timer = setInterval(() => res.write(`data: ${Date.now()}\n\n`), 1000);
req.on('close', () => clearInterval(timer));
});
For transforming streams, use stream.pipeline() or libraries like pump to forward backpressure and ensure cleanup.
20. How do you implement pagination logic in Express APIs?
Support both page-based and cursor-based styles. Validate inputs and cap limits to protect the service.
Page-based (simple, human-friendly):
app.get('/api/items', async (req, res) => {
const page = Math.max(parseInt(req.query.page) || 1, 1);
const limit = Math.min(parseInt(req.query.limit) || 20, 100);
const skip = (page - 1) * limit;
const [items, total] = await Promise.all([
repo.find({ skip, limit, sort: { createdAt: -1 } }),
repo.count()
]);
res.json({
page, limit, total,
totalPages: Math.ceil(total / limit),
data: items
});
});Cursor-based (performant, stable under inserts/deletes):
app.get('/api/items-cursor', async (req, res) => {
const limit = Math.min(parseInt(req.query.limit) || 20, 100);
const after = req.query.after; // e.g., last item's createdAt or opaque ID
const query = after ? { createdAt: { $lt: new Date(after) } } : {};
const items = await repo.find({ query, limit: limit + 1, sort: { createdAt: -1 } });
const hasMore = items.length > limit;
const data = hasMore ? items.slice(0, limit) : items;
const next = hasMore ? data[data.length - 1].createdAt.toISOString() : null;
res.json({ data, next });
});Always document your parameters (page, limit, after), default values, maximums, and sorting guarantees. Add indices on sort/filter fields for databases.
Lorem Ispum
21. How do you create a centralized error-handling mechanism in Express?
Add a single error middleware at the very end of your middleware chain to format and send all errors consistently. Send safe messages to clients and log full details on the server.
// routes
app.get('/boom', (req, res) => { throw new Error('Kaboom'); });
// 404 handler goes before error handler (see Q23)
app.use((req, res) => res.status(404).json({ error: 'Not Found' }));
// centralized error handler (last)
app.use((err, req, res, next) => {
const status = err.status || err.statusCode || 500;
const code = err.code || 'INTERNAL_ERROR';
const message = process.env.NODE_ENV === 'production' ? 'Internal Server Error' : err.message;
// log richly here (req id, user, stack)
res.status(status).json({ error: { code, message } });
});
Wrap async handlers so thrown/rejected errors reach this middleware:
const asyncH = fn => (req, res, next) => Promise.resolve(fn(req, res, next)).catch(next);
22. What is the difference between synchronous and asynchronous error handling in Express?
Synchronous errors thrown inside a handler are caught by Express automatically and passed to the error middleware. Asynchronous errors must be forwarded explicitly with next(err) or by using an async wrapper so unhandled promise rejections don’t crash the process.
// sync: throw works
app.get('/sync', (req, res) => { throw new Error('sync'); });
// async: use wrapper
app.get('/async', asyncH(async (req, res) => {
const data = await risky(); // if this rejects, asyncH -> next(err)
res.json(data);
}));
23. How do you handle 404 errors globally in Express?
Place a “catch-all” middleware after all routes but before the error middleware.
app.use((req, res) => {
res.status(404).json({ error: 'Not Found' });
});This runs only if no prior route matched.
24. How do you customize error messages per environment (dev vs prod)?
Use NODE_ENV to control the response surface. In production, avoid leaking stack traces; in development, include them for debugging.
app.use((err, req, res, next) => {
const status = err.status || 500;
const payload = {
error: {
message: process.env.NODE_ENV === 'production' ? 'Internal Server Error' : err.message,
...(process.env.NODE_ENV !== 'production' && { stack: err.stack })
}
};
res.status(status).json(payload);
});25. How do you propagate custom errors through middleware?
Define a custom error class with status/statusCode/code fields. When something fails, return next(new AppError(‘Bad input’, 400, ‘BAD_INPUT’)).
class AppError extends Error {
constructor(message, status = 500, code = 'INTERNAL_ERROR') {
super(message); this.status = status; this.code = code;
}
}
app.get('/users/:id', asyncH(async (req, res, next) => {
if (!/^\d+$/.test(req.params.id)) throw new AppError('Invalid ID', 400, 'INVALID_ID');
const user = await repo.findById(req.params.id);
if (!user) throw new AppError('User not found', 404, 'NOT_FOUND');
res.json(user);
}));// centralized handler from Q21 handles AppError nicely
26. How do you enable Gzip compression in Express?
Use the compression middleware to automatically compress responses that benefit from it. Place it early, but after things that modify the body.
// npm i compression
const compression = require('compression');
app.use(compression({ threshold: 1024 })); // only compress >1KB bodies
Also ensure upstream proxies (NGINX/CloudFront) handle compression for static assets.
27. How do you implement caching at the route level in Express?
Combine HTTP cache headers with a server-side cache for expensive endpoints.
HTTP caching:
app.get('/public-feed', (req, res) => {
res.set('Cache-Control', 'public, max-age=60, stale-while-revalidate=120');
res.json(feedData);
});ETag/conditional requests:
app.set('etag', 'strong'); // default is weak
// Express auto-sends ETag; if If-None-Match matches, it will 304 automatically.
Server-side cache (e.g., Redis) for computed responses:
// pseudo: cache -> compute -> cache set
app.get('/stats', cache.get, asyncH(async (req, res) => {
const result = await heavyCompute();
await cache.set(req.originalUrl, result, 60);
res.json(result);
}));Always add cache busting on data that changes, and vary keys by params/auth where needed.
28. How does clustering improve Express performance?
Node runs a single event loop per process. Clustering starts multiple worker processes (one per CPU core) to utilize multicore machines and improve throughput and resilience (a worker crash doesn’t kill the master).
// basic cluster setup
const cluster = require('cluster');
const os = require('os');
if (cluster.isPrimary) {
os.cpus().forEach(() => cluster.fork());
cluster.on('exit', () => cluster.fork()); // respawn
} else {
app.listen(process.env.PORT || 3000);
}
In production, use a process manager like PM2 (pm2 start app.js -i max) for clustering, logs, and graceful reloads.
29. How do you use load balancers effectively with Express?
Place a reverse proxy/load balancer (NGINX, HAProxy, ALB) in front of multiple app instances. Configure:
- Health checks on a lightweight /health route returning 200 fast.
- Keep-alive and connection pooling to reduce handshake overhead.
- Timeouts that are strict but realistic; set Express server.headersTimeout thoughtfully for slow clients.
- Compression and TLS termination at the proxy when appropriate.
- Sticky sessions if you use in-memory sessions; better is a shared session store so you can avoid stickiness.
- Trust proxy in Express so req.ip, secure cookies, and protocol detection work correctly:
app.set('trust proxy', 1);30. How do you minimize memory leaks in an Express app?
Adopt defensive patterns and monitor memory:
- Avoid unbounded in-memory caches; use LRU caches with size limits or Redis.
- Clean up timers, intervals, and event listeners; ensure req.on(‘close’) handlers remove subscriptions.
- Stream large files instead of buffering; use stream.pipeline() to auto-cleanup on error.
- Reuse DB connections with pools; close cursors/streams.
- Ensure every middleware either sends a response or calls next(); hung requests can accumulate.
- Use profiling tools: clinic heapprof, Chrome DevTools heap snapshots, or node –inspect.
- Watch for hot object maps keyed by untrusted input (memory growth over time).
- In production, run under a supervisor (PM2) with clustering so leaks in one worker don’t take down the entire service; use rolling restarts with graceful shutdowns:
const server = app.listen(PORT);
process.on('SIGTERM', () => server.close(() => process.exit(0)));
31. How do you prevent Cross-Site Scripting (XSS) in Express?
Use a layered approach: escape output in templates, avoid injecting untrusted HTML, enforce a strict Content Security Policy (CSP), and sanitize any user-supplied HTML.
- Prefer res.json() over building HTML strings.
- In templates, use auto-escaping helpers (e.g., Handlebars/EJS default escapes).
- Add CSP to block inline scripts and restrict sources.
- If you must render user HTML, sanitize it on the server with a library (e.g., sanitize-html) and on the client with DOMPurify.
- Never use eval, Function, or dangerously set innerHTML with untrusted input.
const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({
useDefaults: true,
directives: {
'script-src': ["'self'"], // add hashes/nonces if you have inline scripts
'object-src': ["'none'"],
'base-uri': ["'self'"]
}
}));32. How do you protect Express apps from CSRF attacks?
Require a per-request CSRF token for state-changing actions, ensure cookies are properly scoped, and validate Origin/Referer on sensitive routes.
- Use csurf to generate and validate tokens stored in a cookie or session.
- Mark auth cookies SameSite=Lax or SameSite=None; Secure (if cross-site), and HttpOnly.
- For API-only backends used by SPAs, prefer Authorization headers (Bearer tokens). If you still store tokens in cookies, you must use CSRF tokens.
// npm i csurf cookie-parser
const cookieParser = require('cookie-parser');
const csurf = require('csurf');
app.use(cookieParser());
app.use(csurf({ cookie: { httpOnly: true, sameSite: 'lax', secure: process.env.NODE_ENV==='production' }}));
app.get('/form', (req, res) => res.json({ csrfToken: req.csrfToken() }));
app.post('/transfer', (req, res) => res.send('ok')); // token must be sent back
33. How does Helmet.js improve Express security?
Helmet sets HTTP headers that mitigate common attacks: CSP to control script loading, HSTS to force HTTPS, X-Frame-Options/frameguard to prevent clickjacking, X-Content-Type-Options: nosniff to stop MIME sniffing, Referrer-Policy, Cross-Origin-Resource-Policy, and more. Configure it early in your middleware chain and tailor directives to your app.
const helmet = require('helmet');
app.use(helmet()); // sensible defaults
app.use(helmet.hsts({ maxAge: 15552000, includeSubDomains: true, preload: true })); // HTTPS only34. How do you secure cookies in Express applications?
Set the right flags and scope:
- HttpOnly: true so JS can’t read them.
- Secure: true in production so they’re sent only over HTTPS.
- SameSite: ‘lax’ for most apps; use ‘none’ (with Secure) only if you truly need cross-site cookies.
- Use short maxAge and narrow path/domain.
- Sign cookies if you need tamper detection.
res.cookie('sid', sessionId, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
maxAge: 1000 * 60 * 60
});35. How do you prevent brute-force login attempts in Express?
Rate-limit login and OTP endpoints, add incremental backoff per user/IP, and use strong password hashing.
- express-rate-limit for request caps.
- Combine keys (IP + username/email) to avoid easy bypass.
- Lock out or require CAPTCHA after too many failures.
- Hash passwords with Argon2 or bcrypt (slow, salted).
- Log and alert on spikes.
// npm i express-rate-limit
const rateLimit = require('express-rate-limit');
const loginLimiter = rateLimit({
windowMs: 15*60*1000,
max: 10,
standardHeaders: true,
legacyHeaders: false
});
app.post('/auth/login', loginLimiter, loginHandler);
36. How do you implement JWT authentication in Express?
Issue a short-lived access token after verifying credentials; verify it on protected routes. Prefer HS256 with a strong secret or RS256 with key rotation. Validate exp, aud, and iss. Send tokens via Authorization: Bearer header or an HttpOnly cookie if you’re protecting against XSS well and also handling CSRF.
// npm i jsonwebtoken
const jwt = require('jsonwebtoken');
const ACCESS_TTL = '15m';
app.post('/auth/login', async (req, res) => {
const user = await authRepo.verify(req.body.email, req.body.password);
if (!user) return res.status(401).json({ error: 'Invalid credentials' });
const token = jwt.sign({ sub: user.id, role: user.role }, process.env.JWT_SECRET, {
expiresIn: ACCESS_TTL,
issuer: 'your-app',
audience: 'your-frontend'
});
res.json({ accessToken: token });
});
// protect routes
function requireAuth(req, res, next) {
const token = (req.headers.authorization || '').replace(/^Bearer /, '');
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { issuer: 'your-app', audience: 'your-frontend' });
req.user = payload;
next();
} catch {
res.status(401).json({ error: 'Unauthorized' });
}
}
app.get('/me', requireAuth, (req, res) => res.json({ id: req.user.sub, role: req.user.role }));
37. How does session-based authentication work in Express?
After login, you store user data server-side (e.g., { id, role }) and send only a session ID cookie to the client. Subsequent requests use the cookie; the server retrieves the session from a persistent store (Redis/Mongo). This avoids sending credentials on each request and simplifies revocation, but requires sticky sessions or a shared store.
// npm i express-session connect-redis ioredis
const session = require('express-session');
const RedisStore = require('connect-redis').default;
const Redis = require('ioredis');
const redis = new Redis(process.env.REDIS_URL);
app.use(session({
store: new RedisStore({ client: redis }),
secret: process.env.SESSION_SECRET,
resave: false, saveUninitialized: false,
cookie: { httpOnly: true, secure: process.env.NODE_ENV==='production', sameSite: 'lax', maxAge: 60*60*1000 }
}));
app.post('/auth/login', async (req, res) => {
const user = await authRepo.verify(req.body.email, req.body.password);
if (!user) return res.status(401).end();
req.session.user = { id: user.id, role: user.role };
res.send('ok');
});
38. How do you integrate OAuth2 in Express apps?
Use the Authorization Code flow (with PKCE for public clients). Redirect users to the provider (Google/GitHub), receive the authorization code, exchange it for tokens, fetch the user profile, then create a local session or issue your JWT. The passport ecosystem reduces boilerplate.
Example sketch with passport-google-oauth20:
// npm i passport passport-google-oauth20 express-session
const passport = require('passport');
const GoogleStrategy = require('passport-google-oauth20').Strategy;
passport.use(new GoogleStrategy({
clientID: process.env.GOOGLE_ID,
clientSecret: process.env.GOOGLE_SECRET,
callbackURL: '/auth/google/callback'
}, async (accessToken, refreshToken, profile, done) => {
const user = await users.upsertFromGoogle(profile);
done(null, user);
}));
app.use(session({ /* as above */ }));
app.use(passport.initialize());
app.use(passport.session());
passport.serializeUser((u, done) => done(null, u.id));
passport.deserializeUser((id, done) => users.findById(id).then(u => done(null, u)));
app.get('/auth/google', passport.authenticate('google', { scope: ['profile','email'] }));
app.get('/auth/google/callback', passport.authenticate('google', { failureRedirect: '/login' }),
(req, res) => res.redirect('/dashboard'));
39. How do you manage role-based access control in Express?
Attach the user’s roles/permissions to req.user (from the session or JWT) and check them with small, reusable middlewares. Keep policy in one place; prefer permission strings over hard-coded role checks for flexibility.
function requireRole(...roles) {
return (req, res, next) => {
if (!req.user) return res.status(401).end();
if (!roles.includes(req.user.role)) return res.status(403).json({ error: 'Forbidden' });
next();
};
}
app.get('/admin/reports', requireAuth, requireRole('admin'), reportsHandler);For finer control, use permission sets and check req.user.permissions instead of broad roles.
40. How do you refresh JWT tokens securely in Express?
Use short-lived access tokens and long-lived rotating refresh tokens stored in an HttpOnly secure cookie. On each refresh, issue a new access token and a brand-new refresh token, store the new refresh token’s hash server-side, and revoke the old one to prevent replay. Detect reuse: if an old token appears after rotation, revoke the entire session.
// login -> issue access + refresh (httpOnly cookie)
app.post('/auth/login', async (req, res) => {
const user = await authRepo.verify(req.body.email, req.body.password);
if (!user) return res.status(401).end();
const access = jwt.sign({ sub: user.id, role: user.role }, process.env.JWT_SECRET, { expiresIn: '15m' });
const refresh = crypto.randomUUID(); // store hash server-side
await tokenStore.save({ userId: user.id, jti: hash(refresh), expiresAt: addDays(30) });
res.cookie('rt', refresh, { httpOnly: true, secure: isProd, sameSite: 'strict', path: '/auth/refresh', maxAge: 30*24*60*60*1000 });
res.json({ accessToken: access });
});
// refresh endpoint -> rotate
app.post('/auth/refresh', async (req, res) => {
const refresh = req.cookies.rt;
const record = await tokenStore.findByHash(hash(refresh));
if (!record) return res.status(401).end();
// rotate: delete old, issue new
await tokenStore.delete(record.jti);
const access = jwt.sign({ sub: record.userId }, process.env.JWT_SECRET, { expiresIn: '15m' });
const newRt = crypto.randomUUID();
await tokenStore.save({ userId: record.userId, jti: hash(newRt), expiresAt: addDays(30) });
res.cookie('rt', newRt, { httpOnly: true, secure: isProd, sameSite: 'strict', path: '/auth/refresh', maxAge: 30*24*60*60*1000 });
res.json({ accessToken: access });
});
Key rules:
- Access tokens short (≈15 minutes).
- Refresh tokens long (≈30–90 days) but rotated on every use.
- Store only a hash of refresh tokens server-side; treat them like passwords.
- On logout, delete the stored refresh token and clear the cookie.
- If you must use cross-site cookies, set SameSite=None; Secure and add CSRF protection on refresh and logout routes.
Lorem Ispum
41. How do you implement rate limiting in Express APIs?
Use a middleware that caps requests per client and window to protect login and expensive endpoints. Pair it with IP + user/email keys and store counters in Redis for multi-instance setups.
// npm i express-rate-limit rate-limit-redis ioredis
const rateLimit = require('express-rate-limit');
const RedisStore = require('rate-limit-redis');
const Redis = require('ioredis');
const redis = new Redis(process.env.REDIS_URL);
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 10,
standardHeaders: true,
legacyHeaders: false,
keyGenerator: (req) => `${req.ip}:${req.body?.email || 'anon'}`,
store: new RedisStore({ sendCommand: (...args) => redis.call(...args) })
});
app.post('/auth/login', loginLimiter, loginHandler);
Return friendly Retry-After headers, and consider express-slow-down for progressive backoff.
42. How do you handle multipart file uploads in Express?
Use Multer (or Busboy/Formidable) to parse multipart/form-data. Validate MIME/size, prefer streaming directly to cloud storage, and never trust client file names.
// npm i multer
const multer = require('multer');
const storage = multer.memoryStorage(); // or disk: { dest: 'uploads/' }
const upload = multer({
storage,
limits: { fileSize: 5 * 1024 * 1024 },
fileFilter: (req, file, cb) => {
const ok = ['image/png','image/jpeg','application/pdf'].includes(file.mimetype);
cb(ok ? null : new Error('Unsupported file type'), ok);
}
});
app.post('/upload', upload.single('file'), async (req, res) => {
// req.file.buffer contains bytes; stream to S3/GCS here
res.status(201).json({ name: req.file.originalname, size: req.file.size });
});
Scan files if needed, store only metadata in DB, and generate signed URLs for download.
43. How do you integrate WebSockets with an Express server?
Create the HTTP server from your Express app and attach a WebSocket library (Socket.IO or ws). Use auth on connection, namespaces/rooms, and heartbeats.
const http = require('http');
const server = http.createServer(app);Socket.IO example:
// npm i socket.io
const { Server } = require('socket.io');
const io = new Server(server, { cors: { origin: process.env.FRONTEND_ORIGIN, credentials: true } });
io.use((socket, next) => {
// verify JWT or session cookie
next();
});
io.on('connection', (socket) => {
socket.join(`user:${socket.handshake.auth.userId}`);
socket.on('chat:message', msg => socket.to('room:1').emit('chat:message', msg));
});
server.listen(process.env.PORT || 3000);
Behind a proxy/load balancer, enable sticky sessions or shared adapters (e.g., Redis adapter) for horizontal scale.
44. How do you implement GraphQL with Express?
Mount a GraphQL HTTP endpoint and define schema/resolvers. Use DataLoader for N+1, authorization in context, and persisted queries in production.
// npm i express-graphql graphql
const { graphqlHTTP } = require('express-graphql');
const { buildSchema } = require('graphql');
const schema = buildSchema(`
type User { id: ID!, name: String! }
type Query { user(id: ID!): User, users: [User!]! }
type Mutation { createUser(name: String!): User! }
`);
const root = {
user: ({ id }) => usersRepo.findById(id),
users: () => usersRepo.findAll(),
createUser: ({ name }, ctx) => {
ctx.requireRole('admin');
return usersRepo.create({ name });
}
};
app.use('/graphql', graphqlHTTP((req) => ({
schema,
rootValue: root,
graphiql: process.env.NODE_ENV !== 'production',
context: { req, requireRole: role => {/* auth check */} }
})));
Consider Apollo Server if you need federation, subscriptions, or plugins.
45. How do you integrate Express with gRPC or RPC-style APIs?
Run a gRPC server alongside Express and have HTTP routes delegate to gRPC clients, or expose gRPC to internal services while Express serves public HTTP.
// npm i @grpc/grpc-js @grpc/proto-loader
const grpc = require('@grpc/grpc-js');
const protoLoader = require('@grpc/proto-loader');
const pkgDef = protoLoader.loadSync('user.proto');
const proto = grpc.loadPackageDefinition(pkgDef).user;
const client = new proto.UserService(process.env.USER_SVC_ADDR, grpc.credentials.createInsecure());
app.get('/api/users/:id', (req, res) => {
client.GetUser({ id: req.params.id }, (err, resp) => {
if (err) return res.status(502).json({ error: 'Upstream error' });
res.json(resp);
});
});
For TypeScript-first RPC over HTTP, consider tRPC; for binary/streaming interop, gRPC is ideal.
46. How do you connect Express with MongoDB using Mongoose?
Create a connection early, define schemas/models, and use lean queries for read paths.
// npm i mongoose
const mongoose = require('mongoose');
await mongoose.connect(process.env.MONGO_URI);
const User = mongoose.model('User', new mongoose.Schema({
name: { type: String, required: true },
email: { type: String, required: true, unique: true }
}, { timestamps: true }));
app.get('/users', async (req, res, next) => {
const users = await User.find().lean(); // lean returns plain objects
res.json(users);
});
Handle connection errors, add indexes, and tune timeouts (serverSelectionTimeoutMS).
47. How do you handle SQL database transactions in Express apps?
Use your driver/ORM’s transaction API and pass the transaction handle through your service layer so all queries participate. Always commit or rollback in finally.
// PostgreSQL with node-postgres
// npm i pg
const { Pool } = require('pg');
const pool = new Pool({ connectionString: process.env.DATABASE_URL });
app.post('/transfer', async (req, res, next) => {
const client = await pool.connect();
try {
await client.query('BEGIN');
await client.query('UPDATE accounts SET balance = balance - $1 WHERE id=$2', [req.body.amount, req.body.from]);
await client.query('UPDATE accounts SET balance = balance + $1 WHERE id=$2', [req.body.amount, req.body.to]);
await client.query('COMMIT');
res.sendStatus(204);
} catch (e) {
await client.query('ROLLBACK');
next(e);
} finally {
client.release();
}
});
Knex, Sequelize, and Prisma expose similar transaction helpers.
48. How do you implement database connection pooling in Express?
Create a single pool per process and reuse it across requests; don’t open/close per request. Tune pool size and timeouts for your workload.
// MySQL2 example
// npm i mysql2
const mysql = require('mysql2/promise');
const pool = mysql.createPool({ uri: process.env.MYSQL_URL, connectionLimit: 10, queueLimit: 0 });
app.get('/reports', async (req, res, next) => {
const [rows] = await pool.query('SELECT * FROM reports LIMIT 100');
res.json(rows);
});
Monitor with DB metrics, avoid long transactions, and release connections reliably.
49. How do you prevent SQL/NoSQL injection in Express routes?
Use parameterized queries or query builders, validate and sanitize input, and avoid interpolating user input into query strings or Mongo operators.
// SQL: parameterized
await pool.query('SELECT * FROM users WHERE email = ?', [req.body.email]);
// Prisma/Sequelize/Knex: builders inherently parameterize
await knex('users').where({ email: req.body.email });
// Mongo: whitelist operators and fields
const q = {};
if (typeof req.query.name === 'string') q.name = req.query.name;
const users = await User.find(q).lean();
Apply schema validation (Joi/Zod) at the edge and keep DB users least-privileged.
50. How do you implement caching with Redis in Express?
Cache expensive or slow responses keyed by URL and inputs, set a TTL, and bust on writes. Use Redis for shared, cross-instance cache.
// npm i ioredis
const Redis = require('ioredis');
const redis = new Redis(process.env.REDIS_URL);
async function cacheGet(req, res, next) {
const key = `cache:${req.originalUrl}`;
const hit = await redis.get(key);
if (hit) return res.set('X-Cache', 'HIT').type('application/json').send(hit);
res.locals.cacheKey = key;
next();
}
app.get('/stats', cacheGet, async (req, res) => {
const data = await computeHeavyStats();
const body = JSON.stringify(data);
await redis.setex(res.locals.cacheKey, 60, body); // 60s TTL
res.set('X-Cache', 'MISS').type('application/json').send(body);
});
For user-specific data, include identifiers in keys; for event-driven invalidation, publish messages from your write paths to delete relevant keys.
51. How do you test Express routes with Supertest?
Export your app (without calling listen) and use Supertest to make in-memory HTTP calls. Assert status, headers, and body.
// app.js
const express = require('express');
const app = express();
app.use(express.json());
app.get('/ping', (req, res) => res.json({ ok: true }));
module.exports = app;
Test file (jest):
// app.test.js (Jest)
const request = require('supertest');
const app = require('./app');
test('GET /ping returns ok', async () => {
await request(app)
.get('/ping')
.expect('Content-Type', /json/)
.expect(200, { ok: true });
});
Keep server.js separate for prod:
// server.js
const app = require('./app');
app.listen(process.env.PORT || 3000);
52. What is the difference between integration and end-to-end testing in Express?
Integration tests run your Express stack (routing, middleware, error handler) but usually mock external boundaries (DB, queues, email) to be fast and deterministic. End-to-end tests exercise the entire deployed system over real HTTP with real infrastructure (or a close replica): reverse proxy, TLS, database, caches. Integration tests are faster and isolate app logic; E2E tests validate real wiring, configs, and permissions.
53. How do you mock database calls in Express tests?
Mock the data layer module so your route handlers see predictable results. With Jest:
// users.repo.js
module.exports = {
findById: async (id) => { /* real DB call */ }
};
Routes file
// users.routes.js
const repo = require('./users.repo');
app.get('/users/:id', async (req, res, next) => {
try {
const user = await repo.findById(req.params.id);
return user ? res.json(user) : res.status(404).end();
} catch (e) { next(e); }
});
Test file:
// users.test.js
jest.mock('./users.repo', () => ({ findById: jest.fn() }));
const repo = require('./users.repo');
const request = require('supertest'); const app = require('./app');
test('returns user', async () => {
repo.findById.mockResolvedValue({ id: '1', name: 'Ana' });
await request(app).get('/users/1').expect(200, { id: '1', name: 'Ana' });
});
For Mongoose, you can also jest.spyOn(User, ‘findById’).mockResolvedValue(…). For “integration-ish” tests, use mongodb-memory-server or a dockerized test DB.
54. How do you debug Express middleware execution order?
Give each middleware a name and log entry/exit, or use DEBUG=express:*. You can also inspect the stack (dev only).
const named = (name) => (req, res, next) => { console.log('→', name, req.path); next(); };
app.use(named('helmet'));
app.use(named('cors'));
app.use('/api', named('auth'), named('validate'), router);
// inspect order (internal, use only in dev)
console.log(app._router.stack.map(l => l.name || l.handle?.name));Structured request logging (pino-http, morgan) with a request-id helps trace flow across middlewares and services.
55. How do you test error-handling middleware in Express?
Trigger an error and assert the formatted response from your centralized handler.
// app.js
app.get('/boom', (req, res) => { throw new Error('fail'); });
app.use((err, req, res, next) => {
res.status(err.status || 500).json({ error: process.env.NODE_ENV==='production' ? 'Internal' : err.message });
});
Test file:
// app.error.test.js
const request = require('supertest'); const app = require('./app');
test('central error handler returns 500 json', async () => {
const res = await request(app).get('/boom').expect(500);
expect(res.body.error).toMatch(/fail|Internal/);
});
56. How do you deploy Express apps behind a reverse proxy like Nginx?
Run Node on localhost (e.g., 127.0.0.1:3000) and proxy public traffic through Nginx. Set headers and trust the proxy in Express.
Nginx server block:
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
}
}Express bootstrap:
app.set('trust proxy', 1); // respect X-Forwarded-*; needed for secure cookies, req.ip, HTTPS detectionUse a process manager (PM2/systemd) to keep the app alive and handle restarts:
pm2 start server.js -i max --name api
57. How do you implement HTTPS in Express with self-signed and CA certificates?
Best practice: terminate TLS at Nginx (Let’s Encrypt), keep Node HTTP behind it. If you must terminate in Node:
Generate self-signed (dev only):
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
Start HTTPS server:
const fs = require('fs');
const https = require('https');
const app = require('./app');
const opts = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem') // or fullchain.pem from your CA
};
https.createServer(opts, app).listen(443);With Let’s Encrypt + Nginx, use certbot –nginx to obtain and auto-renew certs, and keep Express as HTTP behind Nginx (Q56 config plus a listen 443 ssl; server with ssl_certificate/ssl_certificate_key).
58. How do you handle environment configuration in Express across dev/staging/prod?
Follow 12-factor: config via environment variables, validate at startup, and never hardcode secrets. Use .env for local dev, provider env for staging/prod, and a small config module.
// config.js
require('dotenv').config();
const { z } = require('zod');
const schema = z.object({
NODE_ENV: z.enum(['development','test','production']),
PORT: z.string().transform(Number).default('3000'),
DATABASE_URL: z.string().url(),
JWT_SECRET: z.string().min(32),
});
const cfg = schema.parse(process.env);
module.exports = cfg;
Server file:
// server.js
const cfg = require('./config');
app.listen(cfg.PORT);
In containers/Kubernetes: use ConfigMaps/Secrets; in CI/CD: inject env at deploy time. Avoid committing .env (use .env.example).
59. How do you scale an Express application in a microservices architecture?
Design stateless services, containerize, and run multiple instances behind a load balancer. Externalize state (sessions in Redis, files in object storage). Add observability and resilience.
Key practices:
- API gateway or ingress (Nginx/Envoy/Kong) for routing, auth, rate limits.
- Service discovery (Kubernetes, Consul) and health checks (/health, /ready).
- Circuit breakers/timeouts/retries with backoff when calling other services.
- Per-service database (schema ownership) to decouple teams.
- Async messaging (Kafka/RabbitMQ/SQS) for decoupled workflows.
- Centralized logs, metrics, traces (OpenTelemetry exporting to Grafana/Loki/Tempo or ELK).
- Horizontal scale with replicas, HPA on CPU/RPS, and rollout strategies (blue-green/canary).
60. How do you integrate Express with serverless platforms like AWS Lambda?
Wrap your Express app with a Lambda adapter and expose it via API Gateway. Keep cold starts in mind and avoid global mutable state that assumes a long-lived process.
Using @vendia/serverless-express:
// app.js
const express = require('express');
const app = express();
app.get('/ping', (req, res) => res.json({ ok: true }));
module.exports = app;
lambda file:
// lambda.js
const serverlessExpress = require('@vendia/serverless-express');
const app = require('./app');
exports.handler = serverlessExpress({ app });
Deploy with SAM or Serverless Framework. For binary responses and CORS, configure API Gateway accordingly. If you don’t need Express, consider native Lambda handlers (smaller, faster). For Vercel/Netlify, deploy as serverless functions or use their Express adapters.