Security is really hard to get right. There are so many different factors to consider, countless different ways to break an application.
This guide is definitely not meant to address every single possible security flaw within application. It does, however, provide a basic checklist to ensure that an Express application addresses or application some of the biggest security threats.
- Enable TLS/SSL
- Encode All Untrusted Data Sent to an Application
- HTML Encoding
- Prevent Parameter Pollution to Stop Possible Uncaught Exceptions
- Add Helmet to Set Sane Defaults
- Block Cross-Site Request Forgeries
- Brute Force Protection
- Command Injection
- Don’t Use Evil Regular Expressions
and many more you can see below link
solved How can I know my Node.JS application security is up to standard?