Express JS Cheat Sheet 2026
The 30 highest-yield Express JS facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
50 questions
60 min time limit
70.00% to pass
- How can you ensure unhandled promise rejections don't crash your Express server in Node.js? → Listen for the 'unhandledRejection' event on the process object
- How do you prevent Express from revealing its version in the X-Powered-By header? → app.disable('x-powered-by') or use helmet()
- What is the signature of an Express error-handling middleware? → (err, req, res, next)
- How do you redirect a client to a different URL in Express? → res.redirect(url)
- Which method defines a route that responds to all HTTP methods in Express? → app.all()
- How do you define a catch-all route that handles any path not matched by previous routes? → app.use('*', handler) or app.get('*', handler) placed last
- Which package is commonly used to implement Passport.js-based authentication in Express? → passport
- What does the secure: true option do when setting cookies in Express? → Ensures the cookie is only sent over HTTPS connections
- How many parameters must an Express error-handling middleware function declare? → 4 (err, req, res, next)
- What's the best approach to save local variables that can be accessible from within the app? → Using app.locals
- What is API versioning in Express and why is it important? → Prefixing routes with /v1, /v2 to support multiple API versions simultaneously
- Which Express object is used to create a modular, mountable route handler? → express.Router()
- Which middleware is commonly used to prevent Cross-Site Request Forgery (CSRF) in Express apps with sessions? → csurf (or modern alternatives like csrf-csrf)
- In a RESTful Express API, what HTTP status code should a successful resource creation return? → 201 Created
- What does the helmet package help protect against in Express? → XSS, clickjacking, and other attacks by setting security HTTP headers
- What is the recommended way to handle async errors in Express 5? → Express 5 automatically catches rejected promises in route handlers
- What HTTP status code should be returned when a requested resource is not found in an Express REST API? → 404 Not Found
- How do you verify a JWT in an Express middleware using the jsonwebtoken package? → jwt.verify(token, secret, callback)
- What happens if a middleware function does not call next() or send a response? → The request hangs and the client never receives a response
- What is the purpose of pagination in a REST API endpoint that returns a list of resources? → To limit the number of items returned per request and reduce payload size
- What type of middleware runs for every route regardless of path or method? → Application-level middleware registered with app.use() without a path
- Which HTTP method is conventionally used to create a new resource in a REST API built with Express? → POST
- How do you differentiate between development and production error responses in Express? → Check process.env.NODE_ENV in the error handler and conditionally include stack traces
- How do you retrieve the value of the 'Authorization' request header in Express? → req.get('Authorization') or req.headers['authorization']
- What does next('router') do when called inside a Router middleware? → Skips the rest of the router's middleware and returns control to the parent app
- Which of the following was the Pug's previous name? → Jade
- What does passing the string 'route' to next() do in Express? → Skips remaining handlers for the current route and moves to the next route
- In Express, where must error-handling middleware be placed relative to other middleware? → At the very end, after all routes and other middleware
- What is res.locals used for in Express template rendering? → Storing variables available to templates for the current request only
- What is the purpose of bcrypt when handling passwords in an Express application? → Hashing passwords with a salt to securely store them
Turn these facts into recall: