Secure Form Management with Express.js: Express-Validator Guide
Secure Form Management with Express.js
In web applications, user data is the biggest security risk.
Forms, file uploads and API requests must be checked.
In this guide, using Express-Validator in Express.js projects
You will learn how to validate and purge form inputs.
The aim is clear:
Establishing a solid line of defense against attacks such as SQL Injection and XSS.
What Will You Learn in This Guide?
- Form validation with Express-Validator
- Difference between Validation and Sanitization
- Improving user experience with error messages
- Secure file upload logic
- Establishing a clean and scalable structure
Prerequisites
Before you start you should have the following ready:
- Node.js v14.x or above
- Basic JavaScript knowledge
- Having worked with Express.js before
- Terminal access
Why Should We Do Form Validation?
Form verification is not a choice, it is a necessity.
Main reasons:
-
Security:
It blocks malicious SQL or script entries. -
Data integrity:
It prevents incorrectly formatted data from entering the database. -
User experience:
Errors are displayed immediately and clearly.
Project Setup
Start Project
mkdir genixnode-form-demo
cd genixnode-form-demo
npm init -y
- This command creates a new Node.js project.
Install Required Packages
npm install express express-validator
npm install --save-dev nodemon
- Express installs a server, Express-Validator performs verification.
Basic Form Validation Example
- Below is a simple /signup endpoint.
const express = require("express");
const app = express();
const { body, validationResult } = require("express-validator");
app.use(express.json());
app.post(
"/signup",
[
body("name")
.notEmpty()
.withMessage("İsim alanı boş bırakılamaz"),
body("email")
.isEmail()
.withMessage("Geçerli bir e-posta giriniz"),
body("password")
.notEmpty()
.withMessage("Şifre gereklidir"),
],
(req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
res.json({ success: "Kayıt başarılı!" });
}
);
app.listen(3000, () =>
console.log("Sunucu http://localhost:3000 adresinde çalışıyor")
);
- This structure checks incoming data before it enters the server.
| Validator | Description |
|---|---|
| isEmail() | Email format |
| isLength() | Length control |
| isNumeric() | Numerical data |
| isDate() | Date format |
| isURL() | URL verification |
Data must be standardized and secure.
app.post(
"/sanitized-input",
[
body("name").trim().notEmpty(),
body("email").trim().isEmail().normalizeEmail(),
body("dogumTarihi").toDate(),
],
(req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
console.log(req.body);
res.json({ success: "Veriler temizlendi" });
}
);
- normalizeEmail() always keeps email in the same format.
File Upload (Optional)
- multer is used for file verification.
Summary logic:
npm install multer
-
Set file size limit
-
Accept single file with upload.single()
Check other fields with Express-Validator
Frequently Asked Questions
-
What is the difference between Validation and Sanitization? Validation checks, sanitization changes.
-
Can I write a custom rule? Yes, you have complete freedom with .custom().
-
How do I reduce code duplication? You can keep verification chains in a separate file.
Result
In this guide, you learned how to manage user input in Express.js projects in a safe, clean and maintainable way.
You have strengthened your application with Express-Validator. Next step: running this on a solid infrastructure.
🚀You can test your projects immediately on the GenixNode VDS infrastructure. Secure code is complemented by a powerful server.