Middleware is where security usually fails. Here is the professional engineering standard for Express.js platform security, using automated static analysis to audit every route and middleware layer.
This plugin is for Node.js teams building web applications with Express.js.
Quick Install
npm install --save-dev eslint-plugin-express-security
Flat Config
// eslint.config.js
import expressSecurity from 'eslint-plugin-express-security';
export default [expressSecurity.configs.recommended];
Rule Overview
| Rule | CWE | What it catches |
|---|---|---|
require-helmet |
CWE-693 | Missing security headers |
no-cors-credentials-wildcard |
CWE-346 | CORS * + credentials |
no-permissive-cors |
CWE-942 | Overly permissive CORS |
no-insecure-cookie-options |
CWE-614 | Missing cookie flags |
require-csrf-protection |
CWE-352 | No CSRF protection |
require-rate-limiting |
CWE-307 | No rate limiting |
require-express-body-parser-limits |
CWE-400 | Unlimited body size |
no-express-unsafe-regex-route |
CWE-1333 | ReDoS in routes |
no-graphql-introspection-production |
CWE-200 | Schema exposed |
Run ESLint
npx eslint .
You'll see output like:
src/app.ts
15:1 error π CWE-693 | Missing Helmet middleware
Fix: Add app.use(helmet()) before routes
src/routes/api.ts
8:1 error π CWE-346 | CORS with credentials and wildcard origin
Fix: Specify explicit origin when using credentials
src/middleware/auth.ts
22:3 error π CWE-614 | Cookie missing secure/httpOnly flags
Fix: Add { secure: true, httpOnly: true, sameSite: 'strict' }
Quick Wins
Security Headers
// β Missing security headers
const app = express();
app.use(cors());
// β
Safe: Helmet adds security headers
import helmet from 'helmet';
const app = express();
app.use(helmet());
app.use(cors({ origin: 'https://app.example.com' }));
Cookie Security
// β Insecure cookie
res.cookie('session', token);
// β
Safe: All security flags
res.cookie('session', token, {
httpOnly: true,
secure: true,
sameSite: 'strict',
maxAge: 3600000,
});
Custom Configuration
// eslint.config.js
import expressSecurity from 'eslint-plugin-express-security';
export default [
expressSecurity.configs.recommended,
{
rules: {
// Override severity
'express-security/require-rate-limiting': 'warn',
// Configure with options
'express-security/require-express-body-parser-limits': [
'error',
{
maxBodySize: '1mb',
},
],
},
},
];
Strongly-Typed Options (TypeScript)
// eslint.config.ts
import expressSecurity, {
type RuleOptions,
} from 'eslint-plugin-express-security';
const corsOptions: RuleOptions['no-permissive-cors'] = {
allowedOrigins: ['https://app.example.com'],
};
export default [
expressSecurity.configs.recommended,
{
rules: {
'express-security/no-permissive-cors': ['error', corsOptions],
},
},
];
Quick Reference
# Install
npm install --save-dev eslint-plugin-express-security
# Config (eslint.config.js)
import expressSecurity from 'eslint-plugin-express-security';
export default [expressSecurity.configs.recommended];
# Run
npx eslint .
π¦ npm: eslint-plugin-express-security
π Full Rule List
The Interlace ESLint Ecosystem
Interlace is a high-fidelity suite of static code analyzers designed to automate security, performance, and reliability for the modern Node.js stack. With over 330 rules across 18 specialized plugins, it provides 100% coverage for OWASP Top 10, LLM Security, and Database Hardening.
Explore the full Documentation
Β© 2026 Ofri Peretz. All rights reserved.
Build Securely.
I'm Ofri Peretz, a Security Engineering Leader and the architect of the Interlace Ecosystem. I build static analysis standards that automate security and performance for Node.js fleets at scale.
Top comments (0)