A detailed guide covering commonly used middlewares in ExpressJS for handling requests, security, logging, CORS, and body parsing.

Commonly Used Middlewares in ExpressJS

ExpressJS offers a flexible system for middlewares, and in addition to custom middlewares, there are several commonly used built-in and third-party middlewares that simplify development and improve app performance, security, and debugging.

1. `express.json()`

Parses incoming requests with JSON payloads and makes the data available in req.body.

const express = require('express');
const app = express();

app.use(express.json());

app.post('/submit', (req, res) => {
  console.log(req.body); // { name: 'Alice', age: 30 }
  res.send('Data received');
});

app.listen(3000);

Without express.json(), req.body would be undefined for JSON payloads.

2. `express.urlencoded()`

Parses incoming requests with URL-encoded payloads (form data).

app.use(express.urlencoded({ extended: true }));

app.post('/form', (req, res) => {
  console.log(req.body); // { username: 'alice', password: 'secret' }
  res.send('Form data received');
});

extended: true allows parsing nested objects.

3. `express.static()`

Serves static files (HTML, CSS, images, JS).

app.use(express.static('public'));

Files in the public/ folder are served automatically.
Example: GET /index.html serves public/index.html.

4. `morgan`

Third-party HTTP request logger middleware. Useful for debugging and monitoring.

const morgan = require('morgan');
app.use(morgan('dev'));

Logs each HTTP request to the console in a concise format.
Common presets: 'combined', 'common', 'dev', 'tiny'.

5. `cors`

Handles Cross-Origin Resource Sharing (CORS) policies.

const cors = require('cors');

// Enable CORS for all routes
app.use(cors());

Or customize CORS:

app.use(cors({
  origin: 'https://example.com',
  methods: ['GET', 'POST'],
}));

Prevents CORS errors when the frontend and backend are on different domains.

6. `helmet`

Secures Express apps by setting various HTTP headers.

const helmet = require('helmet');
app.use(helmet());

Adds security headers like X-Content-Type-Options, Strict-Transport-Security, etc.
Highly recommended for production.

Parses cookies attached to the client request object.

const cookieParser = require('cookie-parser');
app.use(cookieParser());

app.get('/cookies', (req, res) => {
  console.log(req.cookies);
  res.send('Cookies received');
});

Requires calling app.use(cookieParser()) before accessing req.cookies.

8. `compression`

Compresses HTTP responses to reduce payload size and improve performance.

const compression = require('compression');
app.use(compression());

Automatically compresses responses (gzip or deflate).
Reduces bandwidth and speeds up page load times.

9. Custom Middleware Example: Request Timing

A simple custom middleware to measure request processing time.

function requestTimeLogger(req, res, next) {
  const start = Date.now();
  
  res.on('finish', () => {
    const duration = Date.now() - start;
    console.log(`${req.method} ${req.url} took ${duration}ms`);
  });

  next();
}

app.use(requestTimeLogger);

Middleware Composition Example

Multiple middlewares can be chained together.

app.use(morgan('tiny'));
app.use(express.json());
app.use(cors());
app.use(helmet());
app.use(compression());

app.post('/submit', (req, res) => {
  res.send('All middlewares applied successfully');
});

Best Practices

Use built-in middlewares for common tasks.
Apply security middlewares (helmet, cors) early.
Use third-party middlewares like morgan and compression in development and production.
Keep middleware focused and avoid heavy synchronous tasks.
Validate user input early using body parsers and custom validation middleware.

Common Middlewares