Top Best Practices for Building Scalable and Secure Node.js Applications

Published at: 5 Feb 2025
Category: Personal Development
Author: Admin
Top Best Practices for Building Scalable and Secure Node.js Applications

With the more than 2 years of experience, these are the serveral best practices you should follow to ensure your code clean, maintainable, and performant. Below are the key best practices along with example code.

Let's take a look at what you'll need first:

1. Structure Your Project Properly.

It is very necessary to write your code in a way that another developer will not struggle to understand our project. He or she will be able to locate your functions and configurations easily without having to search through each file.

myapp/
├── controllers/
├── models/
├── routes/
├── services/
├── middlewares/
└── utils/
|
├── config/
│
├── node_modules/
│
├── .env
├── package.json
└── server.js
  • controllers: Handle the incoming requests and response.
  • models: It contain databases schemas and models
  • routes: Define the routes of the application, making sure to categorize them correctly. For example, all authentication routes should be in auth.routes.js
  • Services: Api Callings and Database Query should be included in this file.
  • middlewares: Functions to process requests before reaching the controller.

2. Use Environment Variables

Make sure to store the sensitive informations like database credentials, API keys, etc., You can use .env file along with dotenv pacakge. 

npm install dotenv

Create a .env file:

DB_URI=mongodb://localhost:27017/myapp
PORT=3000

3. Error Handling.

Proper error handling is important to keep your code working, so it is necessary that the app doesn't crash and provides helpful error messages to users and developers.
It is recommended to use a centralized error handler for your application.

4. Use Asynchronous Code Properly

Nodejs is a single-threaded, means that It can perform only one task at a time, so asynchronous opertions are crucial to ensure you server can handle mutiple requests efficiently. It is very necessary to use Async/Await for better readablity and error handling.

const fetchData = async () => {
  try {
    const data = await someAsyncOperation();
    console.log(data);
  } catch (error) {
    console.error('Error:', error);
  }
};

fetchData();

5. Use a Database ORM/ODM (eg. Mongoose for MongoDB.

As MongoDB is schema-less and flexible database, so It is very necessary to create ODM for strict data validation. to know more about mongoose you can explore my blog on mongoose. 

npm install mongoose
This is how you can create schema for your collection named users, and can define data types and certain conditions. 
const mongoose = require('mongoose');

const userSchema = new mongoose.Schema({
  username: { type: String, required: true },
  email: { type: String, required: true, unique: true },
});
// Mongoose also provide middlewares you can use them too.
const User = mongoose.model('User', userSchema);
module.exports = User;

6. Input Validation & Sanitization.

Ensure data validity and security by validating and sanitizing user input. You can use packages like express-validator for validation.

Note: Also make sure to trim request body properly before saving it to database. You can use package called trim-request for this. 

const { body, validationResult } = require('express-validator');

app.post('/register', 
  body('email').isEmail(),
  body('username').notEmpty().trim(),
  async (req, res) => {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }
    // Proceed with registration logic
  }
);

7. Logging

Use a logging library to capture logs. One popular choice is winston 

const winston = require('winston');

const logger = winston.createLogger({
  level: 'info',
  transports: [
    new winston.transports.Console(),
    new winston.transports.File({ filename: 'combined.log' })
  ]
});

module.exports = logger;

Use Proper HTTP Status Codes.

  • 200 OK: The request was successful.
  • 201 Created: The request was successful, and a new resource was created.
  • 204 No Content: The request was successful, but there is no content to return.
  • 400 Bad Request: The server could not understand the request due to invalid syntax.
  • 401 Unauthorized: Authentication is required, or the provided authentication credentials are invalid.
  • 403 Forbidden: The server understands the request but refuses to authorize it.
  • 404 Not Found: The requested resource could not be found on the server.
  • 405 Method Not Allowed: The request method (e.g., GET, POST) is not allowed for the requested resource.
  • 408 Request Timeout: The server timed out waiting for the request.
  • 409 Conflict: The request could not be processed due to a conflict with the current state of the resource.
  • 422 Unprocessable Entity: The server understands the request but cannot process the instructions (e.g., invalid data format).
  • 429 Too Many Requests: The user has sent too many requests in a given amount of time.
  • 500 Internal Server Error: The server encountered an unexpected condition that prevented it from fulfilling the request.
  • 502 Bad Gateway: The server received an invalid response from the upstream server.
  • 503 Service Unavailable: The server is temporarily unavailable, often due to maintenance or overload.
  • 504 Gateway Timeout: The server did not receive a timely response from an upstream server.

About

At Snaap.io, we aim to empower you with simple, yet powerful tools that enhance your digital workflows. Whether you're sharing links, tracking performance, or creating custom QR codes, we are here to make your online presence seamless..

Our Recent posts

Follow Us

  1. GitHub
  2. LinkedIn
  3. Instagram