Script Valley
Express.js: APIs and Middleware
Testing and Deploying Express APIsLesson 6.3

Express app configuration for production - compression, logging, and CORS

compression middleware, morgan combined, trust proxy, NODE_ENV production, CORS origin whitelist, express.static, security headers production, PORT env var

Production Configuration for Express

Production Express configuration layers

A development Express server and a production one need different configurations for security, performance, and observability.

npm install compression

Production-ready app.js

require('dotenv').config();
const express = require('express');
const helmet = require('helmet');
const cors = require('cors');
const morgan = require('morgan');
const compression = require('compression');

const app = express();
const isProd = process.env.NODE_ENV === 'production';

// Security
app.use(helmet());
app.set('trust proxy', 1); // trust first proxy (needed for req.ip behind nginx)

// CORS - tighter in production
app.use(cors({
  origin: isProd
    ? ['https://myapp.com', 'https://www.myapp.com']
    : '*'
}));

// Compression - gzip responses
app.use(compression());

// Logging
app.use(morgan(isProd ? 'combined' : 'dev'));

app.use(express.json({ limit: '10kb' })); // limit body size

// Routes
app.use('/api', require('./routes'));

module.exports = app;

compression() gzip-encodes responses, reducing bandwidth by 60-80% for JSON. trust proxy makes req.ip return the real client IP behind a reverse proxy (nginx, Heroku). Set body size limits to prevent large payload attacks.

Up next

How to deploy an Express API to Railway or Render

Sign in to track progress

Express app configuration for production - compression, logging, and CORS · Testing and Deploying Express APIs· Express.js: APIs and Middleware · Script Valley — Script Valley