Senior 7 min · March 05, 2026

Express.js REST API - Silent Hang from Missing next()

Q: Do I need Express to build a REST API in Node.js?

No — you can use Node's built-in `http` module. But you'd manually parse URLs, handle routing logic, parse JSON bodies, and manage every edge case yourself. Express abstracts all of that into a clean API. Most production teams use Express or a framework built on top of it (like NestJS or Fastify) precisely because the boilerplate savings are significant and the patterns are battle-tested.

Q: What is the difference between req.params, req.query, and req.body in Express?

req.params holds values from URL segments defined with a colon, like the `42` in `/books/42` when your route is `/books/:id`. req.query holds key-value pairs from the URL query string, like `?author=Martin`. req.body holds data sent in the HTTP request body — typically JSON sent with a POST or PUT request, available only after you've registered the express.json() middleware.

Q: Why does my Express error handler never seem to run?

There are two common causes. First, your error handler must be registered AFTER all routes with app.use() — if it's above your routes, requests never reach it before being handled. Second, for async route handlers, errors thrown inside async functions must be explicitly caught and passed to next(err). An uncaught promise rejection doesn't automatically flow into Express's error pipeline unless you're using Node 18+ with unhandledRejection hooks or a wrapper like express-async-errors.

Q: What's the best way to organise routes in a large Express application?

Use Express Router to create separate files per resource (e.g., routes/books.js, routes/authors.js). In each file, create a router instance and define the resource's routes on it. In your main app.js, mount each router at its prefix: app.use('/api/books', bookRouter), app.use('/api/authors', authorRouter). This keeps your codebase modular, testable, and makes it easy to find where a route is defined.

Q: How do I handle file uploads in Express?

Express doesn't handle multipart/form-data natively. Use a middleware library like `multer`. It parses file uploads and attaches them to `req.file` or `req.files`. You can configure storage (disk, memory, cloud), validation (file size, type), and error handling. Register multer as middleware on the specific route that accepts uploads.

Missing next() in Express.js validation hangs POST requests 30s leading to 504.

Naren Founder & Principal Engineer

20+ years shipping production JavaScript and front-end systems at scale. Drawn from code that ran under real load.

✓ Production

production tested

May 24, 2026

last updated

1,554

articles · all by Naren

● Production Incident 🔎 Debug Guide ⚙ Triage Commands

⚡Quick Answer

Express.js maps HTTP verbs + URL paths to route handlers
Middleware functions process requests in a pipeline before your route
app.use() order determines execution order – register json parser first, error handler last
Router modules let you group related routes under a prefix, keeping code modular
Production insight: forgetting next() in middleware hangs the request silently – every code path must call next() or send a response

✦ Definition~90s read

What is REST API with Express.js?

Express.js is a minimal, unopinionated web framework for Node.js that provides a thin abstraction over the HTTP server. Its REST API pattern uses middleware functions—essentially a pipeline of request handlers—that each receive req, res, and next.

★

Imagine a restaurant.

The critical contract: if a middleware doesn't send a response, it must call next() to pass control downstream. Forgetting this silently hangs the request, leaving the client waiting until timeout. This is the root cause of the 'silent hang' bug this article addresses.

In the REST API ecosystem, Express competes with Fastify (faster, schema-based) and Koa (async-native, no callback middleware). Express wins on ecosystem maturity—npm has 65,000+ packages for it—and its middleware pattern is the de facto standard for Node.js APIs.

You'd use Express when you need battle-tested stability, massive community support, or when integrating with legacy Express middleware. Avoid it if you need raw throughput (Fastify is 2-3x faster) or prefer async/await-first patterns without callback confusion.

The framework's power comes from its composability: express.Router() lets you mount route groups at paths, app.use() chains global middleware like CORS and body parsers, and error-handling middleware (four arguments) catches anything thrown. Production patterns layer on top: structured logging via pino, config via env vars, and graceful shutdown catching SIGTERM.

The silent hang from missing next() is a classic footgun—this article shows you exactly where it bites and how to prevent it.

Plain-English First

Imagine a restaurant. You (the customer) sit at a table and place an order. The waiter takes that order to the kitchen, the kitchen prepares the food, and the waiter brings it back. A REST API is exactly that waiter — it sits between your app (the customer) and your database or business logic (the kitchen). Express.js is the training manual that tells the waiter exactly how to behave: which orders to accept, in what format, and what to do when something goes wrong. You're not building the restaurant from scratch — you're hiring a very well-trained waiter.

Every app you use daily — Spotify, GitHub, your bank's mobile app — talks to a server through an API. When Spotify's mobile app asks 'give me this user's playlists', it sends an HTTP request to a REST API, which fetches the data and sends it back as JSON. Express.js is the most popular framework for building those APIs in Node.js, and for good reason: it's minimal, fast, and gives you exactly as much structure as you need without forcing a rigid pattern on you.

Before Express existed, building an HTTP server in raw Node.js meant writing dozens of lines of boilerplate just to read a URL or parse a request body. Express solves that. It wraps Node's built-in http module with a clean, chainable API for defining routes, plugging in middleware, and sending structured responses. The result is that you can go from zero to a working API endpoint in about ten lines of code — but knowing why each of those lines exists is what separates a junior who copies tutorials from an engineer who can debug, scale, and maintain a real service.

By the end of this article, you'll have a fully working RESTful API for a book library — complete with all four CRUD operations, proper HTTP status codes, input validation middleware, and a global error handler. More importantly, you'll understand the mental model behind each decision so you can apply these patterns to any domain, not just this example.

What Express.js REST API Actually Is

Express.js is a minimal, unopinionated web framework for Node.js that maps HTTP methods and routes to handler functions. Its core mechanic is a middleware pipeline: each request passes through a stack of functions in order, and each function can end the request-response cycle or pass control to the next function by calling next(). This pipeline model gives you fine-grained control over request processing, authentication, logging, and error handling.

In practice, Express treats everything as middleware — even route handlers. A route handler is just middleware that doesn't call next(). The framework provides a simple API: app.get(), app.post(), app.use(), and so on. Each middleware receives (req, res, next). If you forget next(), the request hangs until timeout. This is not a bug; it's the contract. The pipeline stops at the first handler that does not call next().

Use Express when you need a lightweight, flexible HTTP server for APIs, microservices, or server-rendered apps. It shines in projects where you want to compose behavior via middleware rather than inherit from a framework. Its simplicity means you must enforce structure yourself — no built-in validation, no ORM, no opinion on project layout. That's the trade-off for speed and control.

Missing next() = Silent Hang

Forgetting next() in middleware is the #1 cause of unresponsive Express routes in production — the request never completes, no error is thrown, and the client times out.

Production Insight

A payment API at a fintech startup had a middleware that validated JWT tokens but omitted next() on success. Every valid request hung for 30 seconds until the load balancer timeout killed it, causing 503s during peak hours.

The symptom: intermittent 503 errors with no application logs — the request never reached the route handler.

Rule: every middleware that does not end the request must call next() unconditionally, or the pipeline deadlocks.

Key Takeaway

Express middleware is a sequential pipeline — each function must either end the response or call next().

A missing next() causes a silent hang, not an error — the request will timeout.

Always structure middleware so that every code path either calls next() or sends a response.

thecodeforge.io

Express.js REST API Middleware & Error Flow

Rest Api Expressjs

Middleware — The Assembly Line That Runs Before Your Route Handler

Middleware is Express's killer feature, and it's the concept most beginners underestimate. A middleware function is just a function with three arguments: req, res, and next. When Express receives a request, it runs it through a pipeline of middleware functions in the order they were registered. Each function can read the request, modify it, respond to it, or pass control to the next function by calling next().

Think of it like airport security. Before you reach your gate (the route handler), your bag goes through X-ray (logging middleware), you show your passport (authentication middleware), and you get patted down (validation middleware). If any step fails, the process stops and you don't board the plane.

This pattern is powerful because it separates concerns cleanly. Your route handler shouldn't care about logging or authentication — it should only care about its specific business logic. Middleware handles the cross-cutting concerns that apply across many routes.

There are three types you'll use constantly: application-level middleware (registered with app.use()), router-level middleware (scoped to a specific Router instance), and error-handling middleware (four-argument functions: err, req, res, next). The order of registration is everything — middleware registered later in the file won't intercept requests that were already responded to by earlier handlers.

middleware.jsJAVASCRIPT

// middleware.js — custom middleware functions for our Book Library API
// These are pure functions: testable, reusable, and single-purpose

// ─── REQUEST LOGGER ───────────────────────────────────────────────────────────
// Logs every incoming request: method, URL, and response time
// This runs for EVERY request because we'll register it with app.use() at the top
const requestLogger = (req, res, next) => {
  const startTime = Date.now();

  // res.on('finish') fires AFTER the response is sent — so we get accurate timing
  res.on('finish', () => {
    const duration = Date.now() - startTime;
    console.log(`[${new Date().toISOString()}] ${req.method} ${req.originalUrl} — ${res.statusCode} (${duration}ms)`);
  });

  next(); // CRITICAL: without next(), the request just hangs — no response ever sent
};

// ─── API KEY AUTHENTICATION ────────────────────────────────────────────────────
// Checks that the client sent a valid API key in the x-api-key header
// In production you'd validate against a database or use JWT — same pattern, more logic
const requireApiKey = (req, res, next) => {
  const VALID_API_KEY = process.env.API_KEY || 'dev-secret-key-12345';
  const clientKey = req.headers['x-api-key'];

  if (!clientKey) {
    // 401 Unauthorized — the client didn't provide credentials at all
    return res.status(401).json({
      success: false,
      message: 'Missing x-api-key header. Include your API key to access this endpoint.',
    });
  }

  if (clientKey !== VALID_API_KEY) {
    // 403 Forbidden — credentials were provided but they're wrong
    return res.status(403).json({
      success: false,
      message: 'Invalid API key. Check your credentials and try again.',
    });
  }

  // Attach the key to the request object for downstream use if needed
  req.apiKey = clientKey;
  next(); // credentials are valid — continue to the route handler
};

// ─── BOOK BODY VALIDATOR ───────────────────────────────────────────────────────
// Validates that POST and PUT requests have the required book fields
// By extracting this to middleware, our route handlers stay clean
const validateBookBody = (req, res, next) => {
  const { title, author, year } = req.body;
  const errors = [];

  if (!title || typeof title !== 'string' || title.trim() === '') {
    errors.push('title must be a non-empty string');
  }
  if (!author || typeof author !== 'string' || author.trim() === '') {
    errors.push('author must be a non-empty string');
  }
  if (!year || isNaN(parseInt(year, 10)) || parseInt(year, 10) < 1000) {
    errors.push('year must be a valid 4-digit number');
  }

  if (errors.length > 0) {
    // Pass an Error object to next() — this triggers Express's error handler
    const validationError = new Error('Validation failed');
    validationError.statusCode = 400;
    validationError.details = errors;
    return next(validationError); // jumps straight to the error-handling middleware
  }

  next();
};

// ─── GLOBAL ERROR HANDLER ──────────────────────────────────────────────────────
// This MUST have exactly 4 parameters — Express detects it as an error handler by signature
// Register this LAST with app.use() — after all routes
const globalErrorHandler = (err, req, res, next) => {
  console.error(`[ERROR] ${err.message}`, err.stack);

  const statusCode = err.statusCode || 500; // default to 500 if no specific code was set
  const response = {
    success: false,
    message: err.message || 'An unexpected server error occurred',
  };

  // Include validation details if present (avoids leaking stack traces to clients)
  if (err.details) {
    response.errors = err.details;
  }

  res.status(statusCode).json(response);
};

module.exports = { requestLogger, requireApiKey, validateBookBody, globalErrorHandler };

Output

# Every request logged automatically:

[2024-01-15T10:23:45.123Z] GET /api/books — 200 (3ms)

[2024-01-15T10:23:51.456Z] POST /api/books — 400 (1ms)

# Missing API key:

{ "success": false, "message": "Missing x-api-key header. Include your API key to access this endpoint." }

# Validation failure:

{ "success": false, "message": "Validation failed", "errors": ["year must be a valid 4-digit number"] }

Watch Out: Forgetting next() Hangs Your Server

If your middleware doesn't call next() AND doesn't send a response, the HTTP request will sit there until the client times out. Express won't throw an error — it just silently hangs. Always make sure every code path in a middleware either calls next(), next(err), or sends a response. A linter rule like eslint-plugin-node can catch this pattern.

Production Insight

Forgetting next() is the #1 cause of silent hangs in Express APIs. It's not a crash — it's a timeout, and it looks like a network issue.

Rule: in every middleware, every branch must end with next(), next(err), or a response method (res.send/res.json/res.end).

Key Takeaway

Middleware pipeline: app.use() order = execution order

Every middleware must call next() or send a response — no exceptions

Error-handling middleware has 4 parameters and MUST be registered last.

Express Router — Organising Routes Like a Real-World Codebase

When your API has more than one resource — say books, authors, and orders — putting every route in a single server.js file becomes unmanageable fast. Express Router solves this by letting you create mini-applications that handle a subset of routes, then mount them onto your main app at a specific path prefix.

Think of it like a post office. The main post office (your app) receives all mail. It then hands packages destined for '42nd Street' to the 42nd Street department (your /api/books Router), packages for '5th Avenue' to a different department, and so on. Each department handles its own internal sorting without the main post office needing to know the details.

This isn't just an organisational preference — it's the pattern that makes your codebase testable and scalable. Each Router module can be imported, tested independently, and even reused. When a new developer joins your team, they can look at routes/books.js to understand everything about the books resource without reading the entire codebase.

The middleware cascade works here too: any middleware registered on the Router only runs for routes within that Router. This is how you can protect your entire /api/admin route group with auth middleware without touching any other route.

routes/books.jsJAVASCRIPT

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

// routes/books.js — all book-related routes live here
// This file knows NOTHING about auth or logging — those are app-level concerns

const express = require('express');
const router = express.Router(); // create a Router instance — not a full app
const { validateBookBody } = require('../middleware');

// Simulated data layer — in a real app this would be a service/repository
// The key point: swapping this to a real DB doesn't change the routes at all
let books = [
  { id: 1, title: 'The Pragmatic Programmer', author: 'Hunt & Thomas', year: 1999 },
  { id: 2, title: 'Clean Code', author: 'Robert C. Martin', year: 2008 },
];

// GET / — maps to GET /api/books when mounted at /api/books
// Notice: the path here is '/', not '/api/books' — the prefix is added at mount time
router.get('/', (req, res) => {
  // req.query lets you read URL query parameters like ?author=Martin
  const { author, year } = req.query;

  let results = [...books];

  if (author) {
    results = results.filter((b) =>
      b.author.toLowerCase().includes(author.toLowerCase())
    );
  }
  if (year) {
    results = results.filter((b) => b.year === parseInt(year, 10));
  }

  res.status(200).json({ success: true, count: results.length, data: results });
});

// GET /:id — maps to GET /api/books/:id
router.get('/:id', (req, res) => {
  const bookId = parseInt(req.params.id, 10);
  const book = books.find((b) => b.id === bookId);

  if (!book) {
    return res.status(404).json({ success: false, message: `Book ${bookId} not found` });
  }
  res.status(200).json({ success: true, data: book });
});

// POST / — validateBookBody middleware runs BEFORE the route handler
// If validation fails, the route handler never executes — the error bubbles to globalErrorHandler
router.post('/', validateBookBody, (req, res) => {
  const { title, author, year } = req.body;
  const newBook = {
    id: books.length > 0 ? Math.max(...books.map((b) => b.id)) + 1 : 1,
    title: title.trim(),
    author: author.trim(),
    year: parseInt(year, 10),
  };
  books.push(newBook);
  res.status(201).json({ success: true, data: newBook });
});

router.put('/:id', validateBookBody, (req, res) => {
  const bookId = parseInt(req.params.id, 10);
  const bookIndex = books.findIndex((b) => b.id === bookId);

  if (bookIndex === -1) {
    return res.status(404).json({ success: false, message: `Book ${bookId} not found` });
  }

  books[bookIndex] = { id: bookId, ...req.body, year: parseInt(req.body.year, 10) };
  res.status(200).json({ success: true, data: books[bookIndex] });
});

router.delete('/:id', (req, res) => {
  const bookId = parseInt(req.params.id, 10);
  const bookIndex = books.findIndex((b) => b.id === bookId);

  if (bookIndex === -1) {
    return res.status(404).json({ success: false, message: `Book ${bookId} not found` });
  }

  books.splice(bookIndex, 1);
  res.status(204).send();
});

module.exports = router;


// ─── app.js — main application file that wires everything together ─────────────
// (In a real project this would be a separate file)

const appSetup = `
const express = require('express');
const { requestLogger, requireApiKey, globalErrorHandler } = require('./middleware');
const bookRouter = require('./routes/books');

const app = express();

app.use(express.json());         // parse JSON bodies — runs for ALL routes
app.use(requestLogger);          // log every request — runs for ALL routes
app.use(requireApiKey);          // auth gate — runs for ALL routes below this line

// Mount the book router at /api/books
// All routes in bookRouter are now prefixed with /api/books
app.use('/api/books', bookRouter);

// 404 handler — catches any request that didn't match a route above
app.use((req, res) => {
  res.status(404).json({ success: false, message: 'Route not found' });
});

// Error handler — MUST be registered last, MUST have 4 params
app.use(globalErrorHandler);

app.listen(3000, () => console.log('API running on http://localhost:3000'));
`;

console.log('Route structure:\n', appSetup);

Output

# GET /api/books?author=Martin

{ "success": true, "count": 1, "data": [{ "id": 2, "title": "Clean Code", "author": "Robert C. Martin", "year": 2008 }] }

# POST /api/books with missing year field

{ "success": false, "message": "Validation failed", "errors": ["year must be a valid 4-digit number"] }

# GET /api/books/999

{ "success": false, "message": "Book 999 not found" }

# GET /nonexistent-route

{ "success": false, "message": "Route not found" }

Pro Tip: Route Parameter Order Is a Gotcha

If you define router.get('/:id', ...) before router.get('/featured', ...), Express will match /api/books/featured as a request for book with id 'featured' — not your featured route. Always register specific, literal routes BEFORE parameterised ones. This is a real interview question too — interviewers love to ask why /users/me isn't matching as expected.

Production Insight

Literal routes before parameterised ones — this is the classic Express gotcha. A route like /users/me will never match if /users/:id is defined first.

Rule: order routes from most specific to most generic.

Key Takeaway

Express Router = modular route groups

Mount with app.use(prefix, router)

Literal routes before parameterised routes — always.

Error Handling Patterns — From Validation to Global Catchers

Express gives you a structured way to handle errors that keeps your route handlers clean and your error responses consistent. The pattern is simple: when something goes wrong in a middleware or route handler, you call next(err) with an Error object. Express then skips all remaining non-error middleware and goes straight to the error-handling middleware — the one with four parameters (err, req, res, next).

This is important because it means you don't need try/catch blocks scattered across every route. Instead, you have a single place where all errors are caught, logged, and formatted into a consistent JSON response. The error handler is also where you decide what to expose to the client — never leak stack traces in production.

There's a nuance with async handlers. An async function that throws will result in an unhandled promise rejection — Express won't catch it automatically unless you use a wrapper like express-async-errors or explicitly wrap each handler. In recent Node versions (16+), unhandled rejections cause the process to exit, which is even worse. The safest approach is to install express-async-errors at the top of your entry file — it patches Express to catch async errors for you.

error-handling.jsJAVASCRIPT

// error-handling.js — dedicated error patterns for production Express APIs

// ─── Wrapper for async route handlers ──────────────────────────────────────────
// Without this, an async error crashes the server or causes a silent unhandled rejection
const asyncHandler = (fn) => (req, res, next) => {
  Promise.resolve(fn(req, res, next)).catch(next);
};

// Usage:
// app.get('/api/books', asyncHandler(async (req, res) => {
//   const books = await db.findMany();
//   res.json(books);
// }));

// ─── OR: install express-async-errors at the top of server.js ──────────────────
// require('express-async-errors');
// This patches Express to catch async rejections everywhere — no wrapper needed.

// ─── Custom error class for API errors ──────────────────────────────────────────
// Allows you to set HTTP status codes on errors consistently
class ApiError extends Error {
  constructor(statusCode, message, details = null) {
    super(message);
    this.statusCode = statusCode;
    this.details = details;
  }
}

// Usage:
// throw new ApiError(403, 'You do not have permission to access this resource');

// ─── Global error handler (must be registered last) ────────────────────────────
const globalErrorHandler = (err, req, res, next) => {
  // Log full error internally
  console.error(`[ERROR ${new Date().toISOString()}] ${err.message}`, err.stack);

  // Determine status code
  const statusCode = err.statusCode || 500;

  // Build response body
  const response = {
    success: false,
    message: statusCode === 500 ? 'An unexpected error occurred' : err.message,
  };

  // Include validation errors if present (never leak stack in production)
  if (err.details) {
    response.errors = err.details;
  }

  // In development, you might include the stack trace for debugging
  if (process.env.NODE_ENV === 'development') {
    response.stack = err.stack;
  }

  res.status(statusCode).json(response);
};

module.exports = { asyncHandler, ApiError, globalErrorHandler };

Output

# Async handler wrapping prevents crashes:

# Without wrapper: unhandled promise rejection -> app crashes or hangs

# With wrapper: error bubbles to globalErrorHandler

# Custom ApiError class gives consistent status codes:

# throw new ApiError(400, 'Invalid input', ['title is required']);

# -> { success: false, message: 'Invalid input', errors: ['title is required'] }

Don't Leak Stack Traces

In production, never return err.stack in the response body. It exposes file paths, internal variable names, and possibly secrets. Always check NODE_ENV before including stack traces. A malicious actor can use stack traces to map your directory structure.

Production Insight

Without express-async-errors or asyncHandler, a single unhandled rejection in an async route can bring down the entire Node process (Node 15+ default).

Rule: always wrap async routes or patch Express globally at startup.

Key Takeaway

Call next(err) to jump to error-handling middleware

Async routes need explicit error catching — use express-async-errors

Never expose stack traces in production responses

Production Patterns — Config, Logging, and Graceful Shutdown

A REST API that works on your laptop is not a production-ready API. Production means handling environment-specific configuration, structured logging you can actually query, and a graceful shutdown that doesn't drop in-flight requests.

Environment configuration is trivial but often done wrong. Hardcoding things like database URLs or API keys in the codebase is a security incident waiting to happen. Use process.env with sensible defaults for development, and validate that required variables are present on startup.

Logging in production should be structured JSON, not freeform text. Tools like ELK, Datadog, or Grafana expect log lines as JSON objects so they can be filtered and aggregated. Use a library like pino or winston — console.log is fine for development but worthless at scale.

Graceful shutdown is the one most people forget. When you send SIGTERM to your Node process (e.g., during a deployment), any ongoing HTTP requests get aborted. You need to listen for the signal, stop accepting new connections, wait for pending requests to finish, and then close. Express doesn't do this by default — you need to wrap server.close() in the signal handler.

production-setup.jsJAVASCRIPT

// production-setup.js — environment configuration and graceful shutdown

const express = require('express');
const pino = require('pino');          // structured JSON logging
const { ApiError, globalErrorHandler } = require('./error-handling');

// ─── Configuration ─────────────────────────────────────────────────────────────
const requiredEnvVars = ['DATABASE_URL', 'API_KEY'];
const missing = requiredEnvVars.filter((v) => !process.env[v]);
if (missing.length > 0) {
  console.error(`Missing required environment variables: ${missing.join(', ')}`);
  process.exit(1);
}

const config = {
  port: parseInt(process.env.PORT, 10) || 3000,
  databaseUrl: process.env.DATABASE_URL,
  apiKey: process.env.API_KEY,
  nodeEnv: process.env.NODE_ENV || 'development',
};

// ─── Structured Logger ─────────────────────────────────────────────────────────
const logger = pino({
  level: config.nodeEnv === 'production' ? 'info' : 'debug',
  formatters: {
    // Ensures every log line has a timestamp and service name for correlation
    bindings: () => ({ service: 'book-library-api' }),
  },
});

// Express middleware to attach logger to each request
const requestLogger = (req, res, next) => {
  const start = Date.now();
  res.on('finish', () => {
    logger.info({
      method: req.method,
      url: req.originalUrl,
      status: res.statusCode,
      durationMs: Date.now() - start,
    });
  });
  next();
};

// ─── Server and Graceful Shutdown ──────────────────────────────────────────────
const app = express();
app.use(express.json());
app.use(requestLogger);

// ... routes ...

app.use(globalErrorHandler);

const server = app.listen(config.port, () => {
  logger.info(`Server started on port ${config.port}`);
});

const gracefulShutdown = (signal) => {
  logger.info(`${signal} received — shutting down gracefully...`);
  server.close(() => {
    logger.info('All connections closed. Exiting.');
    process.exit(0);
  });

  // If connections don't close within 10 seconds, force exit
  setTimeout(() => {
    logger.error('Forcing shutdown after timeout');
    process.exit(1);
  }, 10000).unref();
};

process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
process.on('SIGINT', () => gracefulShutdown('SIGINT'));

Output

# On startup:

{"level":30,"time":1705321234567,"service":"book-library-api","msg":"Server started on port 3000"}

# On each request:

{"level":30,"time":1705321234567,"service":"book-library-api","method":"GET","url":"/api/books","status":200,"durationMs":3}

# Graceful shutdown:

{"level":30,"time":... "msg":"SIGTERM received — shutting down gracefully..."}

{"level":30,"time":... "msg":"All connections closed. Exiting."}

Mental Model: Your API is a Service, Not a Script

Environment config = externalise everything that changes between environments.
Structured logging = JSON output that tools can parse; console.log is for debugging only.
Graceful shutdown = listen for SIGTERM, stop accepting, drain requests, then exit.
Health checks = expose a /healthz endpoint that returns 200 so orchestrators know you're alive.
Port configuration = read from environment with a sensible default, and validate on startup.

Production Insight

No graceful shutdown means dropped requests during deployments. Kubernetes sends SIGTERM, then after a grace period, SIGKILL. If your app doesn't close cleanly, you lose in-flight requests.

Rule: always listen for SIGTERM and call server.close() with a timeout.

Key Takeaway

Production-ready Express = config validation + structured logging + graceful shutdown

Environment variables for secrets, never hardcode

Graceful shutdown prevents dropped requests during deployments

Response Streaming — The Difference Between 200ms and 20ms

You see Express calling res.json() and think that's the final word. It's not. When you're serving large datasets — say a CSV export or an AI-generated stream — waiting for the entire payload to assemble in memory before sending it turns your API into a memory-sucking bottleneck. The WHY: Node.js runs on a single thread. If that thread is blocking on a 50MB JSON stringify, every concurrent request queues up. The HOW: Pipe data through streams. Use res.write() for chunked transfer encoding. For JSON arrays, use a transform stream that writes each object as it's ready. This lets the client render progress bars, process partial results, or abort mid-stream. Production trap: forgetting to handle backpressure. If your client reads slower than you write, memory balloons. Check stream.readableHighWaterMark and implement .pipe() with proper error propagation. The result? Your API stays responsive under load, and your users aren't staring at a spinner waiting for the whole payload.

streamMovies.jsJAVASCRIPT

// io.thecodeforge
import { createReadStream } from 'node:fs';
import { Transform } from 'node:stream';

const csvTransform = new Transform({
  objectMode: true,
  transform(chunk, _, callback) {
    // Simulate processing a row
    const row = `${chunk.id},${chunk.title}\n`;
    callback(null, row);
  }
});

router.get('/movies/export', (req, res) => {
  const source = createReadStream('/tmp/movies.csv');
  req.on('close', () => source.destroy()); // client aborted
  source.pipe(csvTransform).pipe(res);
});

Output

Client receives CSV rows incrementally — first row in <10ms.

Production Trap:

Never call res.end() inside a stream error handler. It double-closes the connection. Always use res.destroy(error) to let the client know something broke.

Key Takeaway

Stream early, buffer only what the client can hold. Backpressure is your async contract.

Every time your route handler calls new Pool() or creates a connection manually, you're building a rope for your own hanging. The WHY: Opening a database connection is expensive — TCP handshake, SSL negotiation, authentication. Do that per-request at 1000 req/s and your database will throttle you or your Node event loop will stall waiting on I/O. The HOW: Use a singleton connection pool initialized once at app startup. Libraries like pg or mysql2 export Pool instances you configure with min/max connections. Set the max to something sane — typically 10-20 per process — and let the pool queue requests. Monitor pool.waitingCount and pool.totalCount in your health endpoint. Production trap: forgetting to release connections back to the pool. If you catch an error and return early without calling client.release(), you leak a connection. After 20 leaked connections, your pool is empty and your API hangs. Fix: use try/finally blocks or a dedicated context manager.

poolConfig.jsJAVASCRIPT

// io.thecodeforge
import pg from 'pg';

const pool = new pg.Pool({
  connectionString: process.env.DATABASE_URL,
  max: 15,
  idleTimeoutMillis: 30000,
});

// Health check — returns active pool stats
router.get('/health', async (req, res) => {
  const client = await pool.connect();
  try {
    await client.query('SELECT 1');
    res.json({
      status: 'ok',
      pool: pool.totalCount,
      waiting: pool.waitingCount,
    });
  } finally {
    client.release();
  }
});

Output

Pool starts at 0 connections; under load, it grows to 15 and reuses them.

Production Trap:

Env vars with query strings? URL-decode them. A single & in your password breaks your connection string silently. Use URL parsing lib or escape manually.

Key Takeaway

One pool per process, monitor it like a hawk, release in finally blocks. Your DB will thank you.

● Production incidentPOST-MORTEMseverity: high

The Silent Hang: Forgetting next() in a Validation Middleware

Symptom

All POST requests to /api/books would hang for exactly 30 seconds and then return a 504 Gateway Timeout. GET requests worked fine. No errors appeared in the logs.

Assumption

The team assumed the database was slow. They checked connection pools, query times, and even restarted the database. The issue persisted.

Root cause

The validation middleware had a conditional branch: if a field was valid, it proceeded but forgot to call next(). The route handler never executed, and no response was sent. The middleware simply exited, leaving the request hanging.

Fix

Add a default next() call at the end of the middleware function, and ensure every code path either sends a response or calls next(). Also added a linter rule (eslint-plugin-node) to catch missing next() calls.

Key lesson

Never assume every code path in a middleware calls next() — review all branches explicitly.
Use a linter to enforce that middleware functions always either call next() or send a response.
Add a request timeout middleware (e.g. express-timeout) as a safety net so hung requests don't wait forever.

Production debug guideIdentify and fix the most common production issues in Express APIs.4 entries

Symptom · 01

Request hangs indefinitely, no response sent

→

Fix

Check if a middleware or route handler forgot to call next() or res.end(). Use console.log('reached here') at the end of each middleware to see if execution reaches it.

Symptom · 02

Global error handler never runs, Express shows HTML error page

→

Fix

Ensure the error handler is registered LAST (after all routes) and has exactly 4 parameters: (err, req, res, next). If it's above a route, errors from that route won't reach it.

Symptom · 03

req.body is undefined in POST/PUT handlers

→

Fix

Verify that app.use(express.json()) is called BEFORE any route handlers. If it's after a route, that route won't have parsed body.

Symptom · 04

Route returns 404 even though it exists

→

Fix

Check the order of route definitions. Parameterised routes like /:id must come AFTER literal routes like /featured. Also confirm the path prefix matches the mount point (e.g., app.use('/api/books', router) means router.get('/') maps to GET /api/books).

★ Express.js Quick Debug Cheat SheetJump straight to the fix for the most common Express production issues.

POST request hangs — no req.body−

Immediate action

Check if express.json() is registered and placed above routes.

Commands

console.log(app._router.stack.map(layer => layer.name));

curl -v -X POST http://localhost:3000/api/books -H 'Content-Type: application/json' -d '{}'

Fix now

Add app.use(express.json()) before all route definitions in your app file.

404 on every request — custom error handler not working+

Async route handler crashes silently+

App-level vs Router-level Middleware

Aspect	app.use() (Application Middleware)	router.use() (Router Middleware)
Scope	Applies to every route in the entire app	Applies only to routes in that specific Router instance
Use case	Logging, JSON parsing, CORS, global auth	Route-group auth (e.g. /admin only), group-specific validation
Registration	Called directly on the Express app object	Called on an express.`Router()` instance
Execution order	Runs in the order `app.use()` calls appear in app.js	Runs in order of `router.use()` calls within that router file
Error handling	Catches errors from all routes below it	Only catches errors from routes within that router
Testability	Harder to unit test in isolation	Easy to test the router module independently with supertest

Key takeaways

HTTP verbs are the verb, URLs are the noun

GET /books fetches, POST /books creates, PUT /books/:id updates, DELETE /books/:id removes. Never use verbs in REST URLs like /getBooks or /createUser.

Middleware order is execution order

app.use(express.json()) must come before any route that reads req.body, and globalErrorHandler must always be the last app.use() call in your file.

Calling next(err) with an Error object is how you route to Express's error-handling middleware

and that error handler must have exactly four parameters (err, req, res, next) or Express won't recognise it as an error handler.

Express Router lets you scope routes and middleware to a specific URL prefix

mount a router with app.use('/api/books', bookRouter) and every route inside it is automatically prefixed, keeping your codebase modular and testable.

Async route handlers must be wrapped to catch errors

either with an asyncHandler wrapper or by installing express-async-errors.

Production Express APIs need environment config validation, structured JSON logging (pino or winston), and graceful shutdown (listen for SIGTERM and call server.close()).

Common mistakes to avoid

3 patterns

Not calling next(err) in async route handlers

Symptom

An async operation throws inside a route handler, the error is swallowed silently, and the client gets no response (then a timeout).

Fix

Wrap async handlers in a try/catch and call next(err), or install express-async-errors at the top of your entry file to catch all async rejections automatically.

Registering the global error handler before your routes

Symptom

Errors produce no response or fall through to Express's default HTML error page even though you defined a handler.

Fix

Move the error handler to the very end of your middleware chain, after all routes and other app.use() calls.

Using 200 for all responses regardless of outcome

Symptom

Clients, proxies, and monitoring tools can't differentiate errors from success. Axios, fetch, and API Gateway all branch on status codes.

Fix

Use 201 for creation, 204 for deletion with no body, 400 for bad input, 401/403 for auth failures, 404 for missing resources, and 500 for unexpected server errors.

INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01JUNIOR

What is the difference between 401 Unauthorized and 403 Forbidden, and w...

Q02SENIOR

Explain the Express middleware pipeline. If I have five app.use() calls ...

Q03SENIOR

How would you handle errors in an async/await route handler in Express, ...

Q04JUNIOR

What is the difference between app.use() and router.use() in Express?

Q05SENIOR

How would you implement a health check endpoint in an Express API for a ...

Q01 of 05JUNIOR

What is the difference between 401 Unauthorized and 403 Forbidden, and when would your Express API return each one?

ANSWER

401 Unauthorized means the client has not provided valid credentials — e.g., no API key header. 403 Forbidden means the client provided credentials but they don't have permission — e.g., invalid API key. In Express, 401 is returned when request.headers['x-api-key'] is missing; 403 is returned when the key doesn't match the expected value.

FAQ · 5 QUESTIONS

Frequently Asked Questions

Do I need Express to build a REST API in Node.js?

What is the difference between req.params, req.query, and req.body in Express?

Why does my Express error handler never seem to run?

What's the best way to organise routes in a large Express application?

How do I handle file uploads in Express?

Naren Founder & Principal Engineer

20+ years shipping production JavaScript and front-end systems at scale. Drawn from code that ran under real load.

✓ Verified

production tested

May 24, 2026

last updated

1,554

articles · all by Naren

🔥

That's Node.js. Mark it forged?

7 min read · try the examples if you haven't