Script Valley
Express.js: APIs and Middleware
Testing and Deploying Express APIsLesson 6.3

Express app configuration for production — compression, logging, and CORS

compression middleware, morgan combined, trust proxy, NODE_ENV production, CORS origin whitelist, express.static, security headers production, PORT env var

Production Configuration for Express

A development Express server and a production one need different configurations for security, performance, and observability.

npm install compression

Production-ready app.js

require('dotenv').config();
const express = require('express');
const helmet = require('helmet');
const cors = require('cors');
const morgan = require('morgan');
const compression = require('compression');

const app = express();
const isProd = process.env.NODE_ENV === 'production';

// Security
app.use(helmet());
app.set('trust proxy', 1); // trust first proxy (needed for req.ip behind nginx)

// CORS — tighter in production
app.use(cors({
  origin: isProd
    ? ['https://myapp.com', 'https://www.myapp.com']
    : '*'
}));

// Compression — gzip responses
app.use(compression());

// Logging
app.use(morgan(isProd ? 'combined' : 'dev'));

app.use(express.json({ limit: '10kb' })); // limit body size

// Routes
app.use('/api', require('./routes'));

module.exports = app;

compression() gzip-encodes responses, reducing bandwidth by 60-80% for JSON. trust proxy makes req.ip return the real client IP behind a reverse proxy (nginx, Heroku). Set body size limits to prevent large payload attacks.

Up next

How to deploy an Express API to Railway or Render

Sign in to track progress