TickYouOff
Back
🟩

Node.js Express REST API Checklist

Medium 19 items · 2 hours
testuser's avatar
testuser Published 1 month ago

A practical, step-by-step checklist to scaffold, secure, test, and containerise a REST API using Node.js and Express. Ideal for backend developers building a production-ready API or learners following best practices.

Progress
0 / 19
  1. Initialize project and Git repo — Run npm init, create src/test folders, and git init with a main branch.
  2. Add .gitignore and .env.example — Ignore node_modules, .env; provide .env.example with required keys.
  3. Install core dependencies and dev tools — Include express, dotenv, jsonwebtoken, bcrypt, joi/zod, morgan, winston, helmet, cors, express-rate-limit, jest, supertest, nodemon.
  4. Configure environment variables with dotenv — Load .env early and keep secrets out of source control; validate required vars at startup.
  5. Set up request parsing, security headers and CORS — Enable express.json, express.urlencoded, helmet, and configure cors origin rules.
  6. Implement input validation with Joi or Zod — Create reusable schemas and validate request body, params and query strings.
  7. Add centralized error handling and 404 middleware — Return consistent JSON errors and log stack traces in non-production environments.
  8. Implement JWT authentication
  9. Store JWT secret and token expiry in env — Use a strong secret and short expiry; rotate secrets via env in production.
  10. Create auth middleware to verify tokens — Decode, verify token, attach user to request, and handle invalid tokens cleanly.
  11. Protect routes and add login/register handlers — Hash passwords, return tokens on auth, and apply middleware to private endpoints.
  12. Add rate limiting and request throttling — Use express-rate-limit to limit requests per IP and protect auth endpoints.
  13. Add logging with Morgan and Winston — Log requests, responses, and errors; separate transports for console and files/remote sinks.
  14. Add graceful shutdown and a health-check endpoint — Handle SIGINT/SIGTERM, close DB connections, and expose /health for readiness checks.
  15. Write unit and integration tests with Jest & Supertest — Cover services with unit tests and endpoints with integration tests.
  16. Write unit tests for services and utilities — Mock external calls and assert pure logic in service functions.
  17. Write integration tests for endpoints — Start the app in test mode and run endpoint tests against a test DB or mocks.
  18. Create Dockerfile and .dockerignore — Use a small base image, copy package.json first, install deps, then copy source.
  19. Build and run Docker image locally — Test container locally and ensure env, ports, and health endpoint work.
Sign in to save
📝 My Notes