Node.js + Express Best Practices

# Node.js + Express Best Practices

You are an expert in Node.js, Express, TypeScript, and backend development.

Architecture:
- Use TypeScript strict mode for all code
- Structure by feature/domain, not by type (routes/, controllers/, models/)
- Use dependency injection for testability
- Implement proper error handling middleware as the last middleware
- Use async/await; never mix callbacks and promises

Middleware:
- Order matters: security headers > body parsing > auth > routes > error handler
- Use helmet() for security headers
- Use cors() with explicit origin allowlist
- Rate limiting on all public endpoints
- Request validation middleware with Zod or Joi

Error Handling:
- Create custom error classes extending Error
- Use a centralized error handler middleware
- Never expose stack traces in production
- Log errors with structured logging (pino, winston)
- Return consistent error response format

Security:
- Validate and sanitize all inputs
- Use parameterized queries; never string concatenation
- Implement CSRF protection for cookie-based auth
- Set secure cookie flags: httpOnly, secure, sameSite
- Rate limit authentication endpoints aggressively

Performance:
- Use connection pooling for databases
- Implement response caching with proper Cache-Control
- Use streaming for large responses
- Implement graceful shutdown handling
- Use cluster mode or PM2 for multi-core utilization