Authentication and Security in REST APIsLesson 4.3

REST API Security: CORS, Helmet, Rate Limiting, and Input Sanitization

CORS, helmet, rate limiting, express-rate-limit, input sanitization, XSS prevention, NoSQL injection, security headers, HTTPS

REST API Security: CORS, Helmet, Rate Limiting, and Input Sanitization

A REST API exposed to the internet is a target for abuse. Authentication proves identity, but security goes deeper — preventing injection attacks, cross-origin misuse, brute-force attacks, and data exposure. This lesson covers the security layer every production REST API must have.

DiagramREST API Security Layers

IMAGE PROMPT (replace this block with your generated image):

Flat concentric shield/onion layer diagram on white background. Title: REST API Security Layers. A series of five concentric rounded rectangles, largest on outside, smallest in center. From outside to inside: Layer 1 (outermost): HTTPS / TLS — color: very light gray #f8f8f8, label: Encrypts all traffic in transit. Layer 2: Helmet + Security Headers — color: very light #3A5EFF #f0f3ff, label: X-Frame-Options, CSP, HSTS. Layer 3: CORS Whitelist — color: light #3A5EFF #e8ecff, label: Restricts allowed origins. Layer 4: Rate Limiting — color: medium #3A5EFF #c5d0ff, label: Prevents brute force and DDoS. Layer 5 (innermost): Input Sanitization — color: solid #3A5EFF, white text, label: mongo-sanitize + xss-clean. Center core: a small lock icon. Each layer has a small badge on the right showing the npm package name (helmet, cors, express-rate-limit, express-mongo-sanitize). White background, clean and professional.

Security Headers with Helmet

npm install helmet
app.use(helmet());

Helmet sets HTTP security headers that protect against common attacks: X-Frame-Options prevents clickjacking, X-Content-Type-Options prevents MIME sniffing, Content-Security-Policy restricts resource loading, and Strict-Transport-Security enforces HTTPS.

CORS Configuration

npm install cors

app.use(cors({
  origin: process.env.ALLOWED_ORIGINS.split(','),
  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true
}));

Never use cors({ origin: '*' }) for authenticated APIs — this allows any website to make credentialed requests to your API. Always explicitly whitelist allowed origins in production.

Rate Limiting

npm install express-rate-limit

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  standardHeaders: true,
  message: { success: false, error: { code: 'RATE_LIMIT_EXCEEDED' } }
});

app.use('/api', limiter);
const authLimiter = rateLimit({ windowMs: 60 * 60 * 1000, max: 10 });
app.use('/api/auth', authLimiter);

Input Sanitization

npm install express-mongo-sanitize xss-clean

app.use(mongoSanitize());
app.use(xss());

express-mongo-sanitize strips MongoDB operators like $where from inputs. xss-clean removes HTML tags to prevent stored XSS attacks.