expressjs-development
Provides comprehensive guidance for building production-ready web applications and REST APIs using Express.js.
Install this skill
Security score
The expressjs-development skill was audited on Feb 9, 2026 and we found 35 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 52 | console.log(`Server running on port ${PORT}`); |
Template literal with variable interpolation in command context
| 99 | res.json({ message: `Update user ${req.params.id}` }); |
Template literal with variable interpolation in command context
| 103 | res.json({ message: `Delete user ${req.params.id}` }); |
Template literal with variable interpolation in command context
| 168 | res.json({ message: `Get user ${req.params.id}` }); |
Template literal with variable interpolation in command context
| 190 | console.log(`${req.method} ${req.path}`); |
Template literal with variable interpolation in command context
| 272 | console.log(`${req.method} ${req.path} ${res.statusCode} ${duration}ms`); |
Template literal with variable interpolation in command context
| 445 | res.send(`${user.name}`); |
Template literal with variable interpolation in command context
| 448 | res.send(`<p>${user.name}</p>`); |
Template literal with variable interpolation in command context
| 1042 | .get(`/api/users/${user._id}`) |
Template literal with variable interpolation in command context
| 1069 | .set('Authorization', `Bearer ${token}`) |
Template literal with variable interpolation in command context
| 1251 | const key = `cache:${req.originalUrl}`; |
Template literal with variable interpolation in command context
| 1332 | error = new ValidationError(`${field} already exists`); |
Template literal with variable interpolation in command context
| 1457 | console.log(`Server running on port ${PORT}`); |
Webhook reference - potential data exfiltration
| 26 | - Building webhook handlers and integrations |
Access to .env file
| 50 | const PORT = process.env.PORT || 3000; |
Access to .env file
| 62 | app.set('port', process.env.PORT || 3000); |
Access to .env file
| 63 | app.set('env', process.env.NODE_ENV || 'development'); |
Access to .env file
| 287 | const decoded = jwt.verify(token, process.env.JWT_SECRET); |
Access to .env file
| 478 | ...(process.env.NODE_ENV === 'development' && { stack: err.stack }) |
Access to .env file
| 736 | process.env.JWT_SECRET, |
Access to .env file
| 770 | process.env.JWT_SECRET, |
Access to .env file
| 792 | const decoded = jwt.verify(refreshToken, process.env.REFRESH_SECRET); |
Access to .env file
| 796 | process.env.JWT_SECRET, |
Access to .env file
| 815 | const decoded = jwt.verify(token, process.env.JWT_SECRET); |
Access to .env file
| 919 | await mongoose.connect(process.env.MONGODB_URI, { |
Access to .env file
| 1065 | const token = jwt.sign({ userId: '123' }, process.env.JWT_SECRET); |
Access to .env file
| 1114 | origin: process.env.ALLOWED_ORIGINS?.split(',') || 'https://example.com', |
Access to .env file
| 1347 | ...(process.env.NODE_ENV === 'development' && { stack: err.stack }) |
Access to .env file
| 1364 | level: process.env.LOG_LEVEL || 'info', |
Access to .env file
| 1376 | if (process.env.NODE_ENV !== 'production') { |
Access to .env file
| 1455 | const PORT = process.env.PORT || 3000; |
External URL reference
| 253 | origin: 'https://example.com', |
External URL reference
| 403 | res.redirect(301, 'https://example.com'); |
External URL reference
| 1114 | origin: process.env.ALLOWED_ORIGINS?.split(',') || 'https://example.com', |
External URL reference
| 1124 | const allowedOrigins = ['https://example.com', 'https://app.example.com']; |