Middleware Deep DiveLesson 2.4
How third-party middleware works - morgan, cors, helmet
morgan HTTP logger, cors middleware, helmet security headers, npm install, app.use order, cors options origin, helmet defaults, middleware configuration
Essential Third-Party Middleware
Three middleware packages solve problems every Express API faces: security headers, cross-origin requests, and HTTP logging.
Install all three
npm install morgan cors helmetWire them up
const express = require('express');
const morgan = require('morgan');
const cors = require('cors');
const helmet = require('helmet');
const app = express();
// Security headers (X-Frame-Options, X-Content-Type, etc.)
app.use(helmet());
// Allow cross-origin requests
app.use(cors({
origin: 'https://myfrontend.com', // or '*' for open APIs
methods: ['GET', 'POST', 'PUT', 'DELETE']
}));
// HTTP request logging
app.use(morgan('dev')); // 'combined' for production
app.use(express.json());
app.get('/data', (req, res) => res.json({ ok: true }));
app.listen(3000);helmet() sets ~15 security-related HTTP headers by default. cors() adds Access-Control-Allow-Origin headers - without it, browsers block API responses from different origins. morgan('dev') outputs colorized request logs; use 'combined' for Apache-style logs in production.
Order matters: helmet and cors before routes, morgan before routes so it logs all requests.