Script Valley
Express.js: APIs and Middleware
Middleware Deep DiveLesson 2.4

How third-party middleware works โ€” morgan, cors, helmet

morgan HTTP logger, cors middleware, helmet security headers, npm install, app.use order, cors options origin, helmet defaults, middleware configuration

Essential Third-Party Middleware

Three middleware packages solve problems every Express API faces: security headers, cross-origin requests, and HTTP logging.

Install all three

npm install morgan cors helmet

Wire them up

const express = require('express');
const morgan = require('morgan');
const cors = require('cors');
const helmet = require('helmet');

const app = express();

// Security headers (X-Frame-Options, X-Content-Type, etc.)
app.use(helmet());

// Allow cross-origin requests
app.use(cors({
  origin: 'https://myfrontend.com', // or '*' for open APIs
  methods: ['GET', 'POST', 'PUT', 'DELETE']
}));

// HTTP request logging
app.use(morgan('dev')); // 'combined' for production

app.use(express.json());

app.get('/data', (req, res) => res.json({ ok: true }));

app.listen(3000);

helmet() sets ~15 security-related HTTP headers by default. cors() adds Access-Control-Allow-Origin headers โ€” without it, browsers block API responses from different origins. morgan('dev') outputs colorized request logs; use 'combined' for Apache-style logs in production.

Order: helmet and cors before routes. Morgan before routes so it logs all requests.

Up next

How to pass data between middleware using req object

Sign in to track progress

How third-party middleware works โ€” morgan, cors, helmet โ€” Middleware Deep Dive โ€” Express.js: APIs and Middleware โ€” Script Valley โ€” Script Valley