node

Shipping a deploy with a missing env var is an easy way to create a confusing outage. process.env is just a bag of strings, so I parse env at startup, validate required variables, and fail fast with a clear message. The other win is type safety: once

Most security issues aren’t exotic—they’re missing headers and unsafe defaults. helmet gives a sensible baseline: headers that reduce clickjacking risk, tighten content-type sniffing, and improve general browser hardening. I still configure CSP explic

For webhooks, I assume the internet is hostile by default. I don’t trust that a request ‘looks like’ it came from Stripe/GitHub/etc; I verify the signature over the raw request body and use crypto.timingSafeEqual to avoid leaking information via timin

GraphQL makes it very easy to accidentally create N+1 query explosions. DataLoader batches requests for the same resource during a single tick and gives you per-request caching. The trick is scoping: loaders must be per-request, not global singletons,

Letting users paste rich content is a product requirement that can become a security nightmare. I never try to write my own sanitizer. Instead, I run HTML through DOMPurify using JSDOM on the server and keep the allowlist small (minimal tags + attribu

Most ‘caching’ bugs are really invalidation bugs, so I stick to a simple cache-aside pattern with conservative TTLs and treat cache misses as normal. The big failure mode to avoid is a stampede: if many requests miss at once, you can crush your DB. Fo

Background jobs will fail in production, so I like having a predictable story for retries and poison messages. BullMQ is a solid middle ground: Redis-backed, straightforward, and good enough for most apps. I set explicit attempts and backoff, and when

Email is still a core product channel, and it’s easy to ship broken messages if you don’t treat it like code. I keep templates in source control, render them with a simple templating engine, and send via nodemailer (or a provider SDK). I always includ

Without a centralized error handler, you end up with a mix of thrown errors, ad-hoc res.status(500) blocks, and inconsistent JSON shapes. I use one Express error middleware that maps known errors to stable codes and logs unknown errors with request co

When a dependency starts timing out, naive retries can amplify the outage by piling on more work. A circuit breaker gives the system a chance to breathe: after enough failures, it opens and returns a fast error, then it half-opens to probe recovery. I

One /health endpoint is ambiguous: is the process alive, or is it actually ready to serve traffic? I split them. Liveness answers ‘should the orchestrator restart me?’ and is usually just ‘the event loop is alive’. Readiness answers ‘can I accept traf

When I want ‘real time’ updates without the operational overhead of WebSockets, I reach for Server-Sent Events (SSE). It’s just streaming HTTP, so it behaves well behind proxies and is easy to reason about. I set the right headers (Content-Type: text/