Best Practices


Securing Your Application

To keep builds as small as possible, the Node.js runtime doesn’t bring any potentially unnecessary dependencies and, hence, doesn’t automatically mount any express middlewares, such as the popular helmet.

However, application developers can easily mount custom or best-practice express middlewares using the bootstrapping mechanism.


// local ./server.js
const cds = require('@sap/cds')
const helmet = require('helmet')

cds.on('bootstrap', (app) => {

module.exports = cds.server // > delegate to default server.js

Please consult sources such as express’ “Production Best Practices: Security” guide for state of the art application security.