Express.js API Coding Standards

Error Handling

• Always use try-catch blocks in async route handlers
• Return consistent error response format:

  {
    "success": false,
    "error": "Error message",
    "code": "ERROR_CODE"
  }

• Use appropriate HTTP status codes:
  • 400 for validation errors
  • 401 for authentication failures
  • 403 for authorization failures
  • 404 for not found
  • 409 for conflicts (e.g., duplicate entries)
  • 500 for server errors
• Never expose internal error details or stack traces in production

Validation

• Validate all input using express-validator
• Sanitize user input before processing
• Return 400 Bad Request for validation errors with clear error messages
• Validate data types, formats, and ranges
• Check required fields are present

Response Format

• Use consistent JSON response structure
• Always include success: boolean field
• Success responses:

  {
    "success": true,
    "data": { ... }
  }

• Error responses (as shown in Error Handling section above)
• Paginate list endpoints:
  • Default limit: 50 items
  • Include pagination metadata: { page, limit, total, hasMore }

Security

• Use helmet.js for security headers
• Enable CORS only for allowed origins (configure in environment variables)
• Implement rate limiting on API endpoints
• Use HTTPS in production
• Validate and sanitize all user input to prevent injection attacks
• Never log sensitive data (passwords, tokens, API keys)