interview

home / developersection / interviews / how do you secure a mean stack application (e.g., using jwt)?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

07-Apr-2025

Securing a MEAN stack (MongoDB, Express, Angular, Node.js) application involves multiple layers of protection, with JWT (JSON Web Tokens) being a popular method for authentication and authorization. Here’s a breakdown of how to secure a MEAN app using JWT and other best practices:

JWT-Based Authentication

 

1. User Login & JWT Token Generation (Backend - Node/Express)

  1. On successful login, generate a JWT with a secret key.
  2. Send the token to the client (Angular).
const jwt = require('jsonwebtoken');

app.post('/api/login', (req, res) => {
    const { username, password } = req.body;
    // Authenticate user (e.g., check DB)
    const user = { id: 123, username: 'john' }; // Example user

    const token = jwt.sign(user, process.env.JWT_SECRET, { expiresIn: '1h' });
    res.json({ token });
});

 

2. Store the Token (Frontend - Angular)

  1. Store JWT securely in memory or localStorage (be cautious with XSS risks).
  2. Use Angular HttpInterceptor to attach JWT in the Authorization header for each API request.
// Angular HttpInterceptor example
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
  const token = localStorage.getItem('jwt');
  if (token) {
    req = req.clone({
      setHeaders: {
        Authorization: `Bearer ${token}`
      }
    });
  }
  return next.handle(req);
}

 

3. Protect Routes (Backend - Express Middleware)

const authenticateToken = (req, res, next) => {
  const authHeader = req.headers['authorization'];
  const token = authHeader?.split(' ')[1];
  if (!token) return res.sendStatus(401);

  jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
    if (err) return res.sendStatus(403);
    req.user = user;
    next();
  });
};

app.get('/api/protected', authenticateToken, (req, res) => {
  res.json({ message: 'This is protected data.' });
});

 

Additional Security Best Practices

 

1. Input Validation & Sanitization

  1. Use libraries like express-validator and mongoose-sanitize.
  2. Always validate and sanitize user input to prevent injection attacks.

2. HTTPS Only

  1. Serve your API and Angular frontend over HTTPS to prevent MITM attacks.

3. Use CORS Wisely

  1. Configure CORS to only allow requests from trusted origins.
app.use(cors({
  origin: 'https://yourfrontend.com',
  credentials: true
}));

4. Secure Headers with Helmet

  1. Use helmet middleware in Express for secure HTTP headers.
const helmet = require('helmet');
app.use(helmet());

5. CSRF Protection (Optional)

  1. Not needed with JWT if you store the token in memory or headers.
  2. If storing JWT in cookies: implement CSRF tokens as an extra layer.

6. Expire Tokens and Implement Refresh Tokens

  1. Short-lived access token + long-lived refresh token strategy is safer.

 

Summary

Layer Security Measures
Authentication JWT with short expiry and strong secret
API Middleware to protect routes (jwt.verify)
Frontend Angular interceptor for JWT
General HTTPS, CORS, Helmet, input validation
MindStick Training
MindStick Training

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy