HomeExpress.js in 5 DaysDay 5
Day 5 of 5
⏱ ~60 minutes
Express.js in 5 Days — Day 5

Deploy to Production

Environment variables, CORS, rate limiting, and deploying to Railway with a MongoDB Atlas connection.

Production Hardening

Terminal
npm install cors helmet express-rate-limit
server.js — production middleware
const cors = require('cors');
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');

// Security headers
app.use(helmet());

// CORS
app.use(cors({
  origin: process.env.ALLOWED_ORIGINS?.split(',') || '*',
  credentials: true,
}));

// Rate limiting
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,  // 15 minutes
  max: 100,                   // 100 requests per window
  message: { error: 'Too many requests' }
});
app.use('/api/', limiter);

// Auth rate limiter (stricter)
const authLimiter = rateLimit({ windowMs: 60*60*1000, max: 10 });
app.use('/api/auth/', authLimiter);
.env.example
PORT=3000
MONGODB_URI=mongodb+srv://...
JWT_SECRET=change-me-to-random-string
ALLOWED_ORIGINS=https://yourfrontend.com
Deploy to Railway
# railway.app → New Project → Deploy from GitHub
# Add environment variables in the Railway dashboard
# Railway auto-detects Node and runs: npm start

# package.json
"scripts": {
  "start": "node server.js",
  "dev": "nodemon server.js"
}
📝 Day 5 Exercise
Deploy Your Express API
  1. A
  2. d
  3. d
  5. h
  6. e
  7. l
  8. m
  9. e
  10. t
  11. ,
  13. C
  14. O
  15. R
  16. S
  17. ,
  19. a
  20. n
  21. d
  23. r
  24. a
  25. t
  26. e
  28. l
  29. i
  30. m
  31. i
  32. t
  33. i
  34. n
  35. g
  36. .
  38. S
  39. e
  40. t
  42. e
  43. n
  44. v
  45. i
  46. r
  47. o
  48. n
  49. m
  50. e
  51. n
  52. t
  54. v
  55. a
  56. r
  57. i
  58. a
  59. b
  60. l
  61. e
  62. s
  64. p
  65. r
  66. o
  67. p
  68. e
  69. r
  70. l
  71. y
  72. .
  74. P
  75. u
  76. s
  77. h
  79. t
  80. o
  82. G
  83. i
  84. t
  85. H
  86. u
  87. b
  89. a
  90. n
  91. d
  93. d
  94. e
  95. p
  96. l
  97. o
  98. y
  100. t
  101. o
  103. R
  104. a
  105. i
  106. l
  107. w
  108. a
  109. y
  110. .
  112. C
  113. o
  114. n
  115. n
  116. e
  117. c
  118. t
  120. y
  121. o
  122. u
  123. r
  125. M
  126. o
  127. n
  128. g
  129. o
  130. D
  131. B
  133. A
  134. t
  135. l
  136. a
  137. s
  139. d
  140. a
  141. t
  142. a
  143. b
  144. a
  145. s
  146. e
  147. .

Day 5 Summary

  • helmet() sets security headers with one line — always include it in production.
  • CORS: restrict origin to your actual frontend domain in production. Don't leave it as '*'.
  • Rate limiting prevents brute-force attacks on auth endpoints. Auth routes get stricter limits.
  • Never commit .env. Use .env.example as a template with placeholder values.
← Previous
Day 4: Error Handling and Validation
Course Complete
Back to Express.js in 5 Days
Finished this lesson?