[{"data":1,"prerenderedAt":217},["ShallowReactive",2],{"blog-blueprints/mern-stack":3},{"id":4,"title":5,"body":6,"category":197,"date":198,"dateModified":198,"description":199,"draft":200,"extension":201,"faq":202,"featured":200,"headerVariant":203,"image":202,"keywords":202,"meta":204,"navigation":205,"ogDescription":206,"ogTitle":202,"path":207,"readTime":208,"schemaOrg":209,"schemaType":210,"seo":211,"sitemap":212,"stem":213,"tags":214,"twitterCard":215,"__hash__":216},"blog/blog/blueprints/mern-stack.md","MERN Stack Security Blueprint",{"type":7,"value":8,"toc":185},"minimark",[9,20,23,29,34,49,53,62,66,75,79,88,97,101,106,109,112,115,118,121,124,138,173],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a MERN Stack application,"," you need to: (1) use helmet for security headers and express-mongo-sanitize to prevent NoSQL injection, (2) implement proper JWT authentication middleware, (3) use mongoose schema validation for input sanitization, (4) configure CORS properly with specific origins, and (5) always get user IDs from auth middleware (never from request body). This blueprint covers Express security middleware with MongoDB protection.",[21,22],"blueprint-meta",{},[24,25,26],"tldr",{},[13,27,28],{},"MERN Stack requires careful attention to NoSQL injection, Express middleware security, and JWT handling. Use mongoose with schema validation, sanitize all inputs, implement proper CORS, and store JWTs securely. Never trust client-provided user IDs.",[30,31,33],"h2",{"id":32},"express-security-middleware-express","Express Security Middleware Express",[35,36,38],"code-block",{"label":37},"server/app.js",[39,40,45],"pre",{"className":41,"code":43,"language":44},[42],"language-text","import express from 'express'\nimport helmet from 'helmet'\nimport cors from 'cors'\nimport rateLimit from 'express-rate-limit'\nimport mongoSanitize from 'express-mongo-sanitize'\n\nconst app = express()\n\n// Security headers\napp.use(helmet())\n\n// CORS configuration\napp.use(cors({\n  origin: process.env.CLIENT_URL,\n  credentials: true,\n}))\n\n// Rate limiting\napp.use(rateLimit({\n  windowMs: 15 * 60 * 1000,\n  max: 100,\n}))\n\n// Prevent NoSQL injection\napp.use(mongoSanitize())\n\napp.use(express.json({ limit: '10kb' }))\n","text",[46,47,43],"code",{"__ignoreMap":48},"",[30,50,52],{"id":51},"jwt-authentication-middleware-nodejs","JWT Authentication Middleware Node.js",[35,54,56],{"label":55},"server/middleware/auth.js",[39,57,60],{"className":58,"code":59,"language":44},[42],"import jwt from 'jsonwebtoken'\n\nexport const protect = async (req, res, next) => {\n  const token = req.cookies.token || req.headers.authorization?.split(' ')[1]\n\n  if (!token) {\n    return res.status(401).json({ error: 'Not authorized' })\n  }\n\n  try {\n    const decoded = jwt.verify(token, process.env.JWT_SECRET)\n    req.user = await User.findById(decoded.id).select('-password')\n\n    if (!req.user) {\n      return res.status(401).json({ error: 'User not found' })\n    }\n\n    next()\n  } catch (error) {\n    return res.status(401).json({ error: 'Invalid token' })\n  }\n}\n",[46,61,59],{"__ignoreMap":48},[30,63,65],{"id":64},"mongoose-schema-validation-mongodb","Mongoose Schema Validation MongoDB",[35,67,69],{"label":68},"server/models/Post.js",[39,70,73],{"className":71,"code":72,"language":44},[42],"import mongoose from 'mongoose'\n\nconst postSchema = new mongoose.Schema({\n  title: {\n    type: String,\n    required: [true, 'Title is required'],\n    maxlength: [200, 'Title cannot exceed 200 characters'],\n    trim: true,\n  },\n  content: {\n    type: String,\n    required: true,\n  },\n  author: {\n    type: mongoose.Schema.Types.ObjectId,\n    ref: 'User',\n    required: true,\n  },\n}, { timestamps: true })\n\nexport default mongoose.model('Post', postSchema)\n",[46,74,72],{"__ignoreMap":48},[30,76,78],{"id":77},"protected-route-example-express","Protected Route Example Express",[35,80,82],{"label":81},"server/routes/posts.js",[39,83,86],{"className":84,"code":85,"language":44},[42],"import express from 'express'\nimport { protect } from '../middleware/auth.js'\nimport Post from '../models/Post.js'\n\nconst router = express.Router()\n\nrouter.post('/', protect, async (req, res) => {\n  const { title, content } = req.body\n\n  const post = await Post.create({\n    title,\n    content,\n    author: req.user._id,  // Use verified user from middleware\n  })\n\n  res.status(201).json(post)\n})\n\nrouter.get('/mine', protect, async (req, res) => {\n  const posts = await Post.find({ author: req.user._id })\n  res.json(posts)\n})\n",[46,87,85],{"__ignoreMap":48},[89,90,91],"warning-box",{},[13,92,93,96],{},[16,94,95],{},"Never trust client IDs."," Always use req.user from your auth middleware, never req.body.userId or similar client-provided values.",[30,98,100],{"id":99},"security-checklist","Security Checklist",[102,103,105],"h4",{"id":104},"pre-launch-checklist","Pre-Launch Checklist",[13,107,108],{},"Helmet middleware enabled",[13,110,111],{},"CORS properly configured",[13,113,114],{},"Rate limiting implemented",[13,116,117],{},"express-mongo-sanitize used",[13,119,120],{},"JWT secret is strong and in env",[13,122,123],{},"User IDs from auth middleware only",[125,126,127,133],"related-articles",{},[128,129],"related-card",{"description":130,"href":131,"title":132},"Angular variant","/blog/blueprints/mean-stack","MEAN Stack",[128,134],{"description":135,"href":136,"title":137},"Deep dive","/blog/guides/mongodb","MongoDB Security Guide",[139,140,141,146,149],"stack-comparison",{},[142,143,145],"h3",{"id":144},"alternative-stacks","Alternative Stacks",[13,147,148],{},"Consider these related blueprints:",[150,151,152,159,166],"ul",{},[153,154,155,158],"li",{},[156,157,132],"a",{"href":131}," - Angular frontend alternative",[153,160,161,165],{},[156,162,164],{"href":163},"/blog/blueprints/nextjs-supabase-vercel","Next.js + Supabase + Vercel"," - PostgreSQL/Supabase alternative",[153,167,168,172],{},[156,169,171],{"href":170},"/blog/blueprints/t3-stack","T3 Stack"," - TypeScript-first alternative",[174,175,178,182],"cta-box",{"href":176,"label":177},"/","Start Free Scan",[30,179,181],{"id":180},"check-your-mern-stack-app","Check Your MERN Stack App",[13,183,184],{},"Scan for injection and auth issues.",{"title":48,"searchDepth":186,"depth":186,"links":187},2,[188,189,190,191,192,196],{"id":32,"depth":186,"text":33},{"id":51,"depth":186,"text":52},{"id":64,"depth":186,"text":65},{"id":77,"depth":186,"text":78},{"id":99,"depth":186,"text":100,"children":193},[194],{"id":144,"depth":195,"text":145},3,{"id":180,"depth":186,"text":181},"blueprints","2026-02-06","Security guide for MERN Stack (MongoDB, Express, React, Node.js). Prevent NoSQL injection, secure Express APIs, implement JWT auth, and protect your MERN app.",false,"md",null,"purple",{},true,"Complete security configuration for MERN Stack applications.","/blog/blueprints/mern-stack","12 min read","[object Object]","Article",{"title":5,"description":199},{"loc":207},"blog/blueprints/mern-stack",[],"summary_large_image","s29tUs7NEsdd3OKXw-ErnTJwFkGPRGyPe_UOsyddjnU",1775843920196]