Deployment Best Practices

Running Node.js without NODE_ENV=production enables verbose error messages, disables caching optimizations, and can activate development-only middleware.

Debug mode enabled in production exposes internal state, enables verbose logging, and sometimes activates interactive debugging endpoints that attackers can exploit.

Without a /health endpoint, load balancers and orchestrators can't verify your application is actually working before routing traffic to it.

Without error monitoring, production errors are invisible until a user reports them — which most never do.

Using development credentials (test API keys, local database URLs, sandbox payment keys) in production puts real users at risk.

Without regular tested backups, a ransomware attack, accidental deletion, or database corruption can result in permanent data loss.

Sessions that never expire stay valid indefinitely, giving attackers unlimited time to use stolen tokens.