Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

1046 lines (720 sloc) 35.253 kb



$ curl -# | sh


$ npm install express

Creating An Application

The express.Server now inherits from http.Server, however follows the same idiom by providing express.createServer() as shown below. This means that you can utilize Express server's transparently with other libraries.

var app = require('express').createServer();

app.get('/', function(req, res){
    res.send('hello world');



Express supports arbitrary environments, such as production and development. Developers can use the configure() method to setup needs required by the current environment. When configure() is called without an environment name it will be run in every environment prior to the environment specific callback.

In the example below we only dumpExceptions, and respond with exception stack traces in development mode, however for both environments we utilize methodOverride and bodyDecoder. Note the use of app.router, which can (optionally) be used to mount the application routes, otherwise the first call to app.{get,put,del,post}() will mount the routes.


app.configure('development', function(){
    app.use(express.staticProvider(__dirname + '/public'));
    app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));

app.configure('production', function(){
  var oneYear = 31557600000;
    app.use(express.staticProvider({ root: __dirname + '/public', maxAge: oneYear }));

For internal and arbitrary settings Express provides the set(key[, val]), enable(key), disable(key) methods:

    app.set('views', __dirname + '/views');
    // => "... views directory ..."

    app.enable('some feature');
    // same as app.set('some feature', true);

    app.disable('some feature');
    // same as app.set('some feature', false);

To alter the environment we can set the NODE_ENV environment variable, for example:

$ NODE_ENV=production node app.js

This is very important, as many caching mechanisms are only enabled when in production.


Express supports the following settings out of the box:

  • env Application environment set internally, use app.set('env') on Server#listen()
  • home Application base path used for res.redirect() and transparently handling mounted apps.
  • views Root views directory defaulting to CWD/views
  • view engine Default view engine name for views rendered without extensions
  • view options An object specifying global view options
  • partials Root view partials directory defaulting to views/partials.
  • stream threshold Bytesize indicating when a file should be streamed for res.sendfile() using fs.ReadStream() and sys.pump().


Express utilizes the HTTP verbs to provide a meaningful, expressive routing API. For example we may want to render a user's account for the path /user/12, this can be done by defining the route below. The values associated to the named placeholders are available as req.params.

app.get('/user/:id', function(req, res){
    res.send('user ' +;

A route is simple a string which is compiled to a RegExp internally. For example when /user/:id is compiled, a simplified version of the regexp may look similar to:


Regular expression literals may also be passed for complex uses. Since capture groups with literal RegExp's are anonymous we can access them directly req.params.

app.get(/^\/users?(?:\/(\d+)(?:\.\.(\d+))?)?/, function(req, res){

Curl requests against the previously defined route:

   $ curl http://dev:3000/user
   $ curl http://dev:3000/users
   $ curl http://dev:3000/users/1
   $ curl http://dev:3000/users/1..15

Below are some route examples, and the associated paths that they may consume:








For example we can POST some json, and echo the json back using the bodyDecoder middleware which will parse json request bodies (as well as others), and place the result in req.body:

var express = require('express')
  , app = express.createServer();

app.use(express.bodyDecoder());'/', function(req, res){


Passing Route Control

We may pass control to the next matching route, by calling the third argument, the next() function. When a match cannot be made, control is passed back to Connect, and middleware continue to be invoked. The same is true for several routes which have the same path defined, they will simply be executed in order until one does not call next().

app.get('/users/:id?', function(req, res, next){
    var id =;
    if (id) {
        // do something
    } else {

app.get('/users', function(req, res){
    // do something else

Express 1.0 also introduces the all() method, which provides a route callback matching any HTTP method. This is useful in many ways, one example being the loading of resources before executing subsequent routes as shown below:

var express = require('express')
  , app = express.createServer();

var users = [{ name: 'tj' }];

app.all('/user/:id/:op?', function(req, res, next){
  req.user = users[];
  if (req.user) {
  } else {
    next(new Error('cannot find user ' +;

app.get('/user/:id', function(req, res){
  res.send('viewing ' +;

app.get('/user/:id/edit', function(req, res){
  res.send('editing ' +;

app.put('/user/:id', function(req, res){
  res.send('updating ' +;

app.get('*', function(req, res){
  res.send('what???', 404);



Middleware via Connect can be passed to express.createServer() as you would with a regular Connect server. For example:

  var express = require('express');

var app = express.createServer(

Alternatively we can use() them which is useful when adding middleware within configure() blocks:

app.use(express.logger({ format: ':method :uri' }));

Typically with connect middleware you would require('connect') like so:

var connect = require('connect');

This is somewhat annoying, so express re-exports these middleware properties, however they are identical:


Route Middleware

Routes may utilize route-specific middleware by passing one or more additional callbacks (or arrays) to the method. This feature is extremely useful for restricting access, loading data used by the route etc.

Typically async data retrieval might look similar to below, where we take the :id parameter, and attempt loading a user.

app.get('/user/:id', function(req, res, next){
    loadUser(, function(err, user){
        if (err) return next(err);
        res.send('Viewing user ' +;

To keep things DRY and to increase readability we can apply this logic within a middleware. As you can see below, abstracting this logic into middleware allows us to reuse it, and clean up our route at the same time.

function loadUser(req, res, next) {
    // You would fetch your user from the db
    var user = users[];
    if (user) {
        req.user = user;
    } else {
        next(new Error('Failed to load user ' +;

app.get('/user/:id', loadUser, function(req, res){
    res.send('Viewing user ' +;

Multiple route middleware can be applied, and will be executed sequentially to apply further logic such as restricting access to a user account. In the example below only the authenticated user may edit his/her account.

function andRestrictToSelf(req, res, next) { ==
        ? next()
        : next(new Error('Unauthorized'));

app.get('/user/:id/edit', loadUser, andRestrictToSelf, function(req, res){
    res.send('Editing user ' +;

Keeping in mind that middleware are simply functions, we can define function that returns the middleware in order to create a more expressive and flexible solution as shown below.

function andRestrictTo(role) {
    return function(req, res, next) {
      req.authenticatedUser.role == role
          ? next()
          : next(new Error('Unauthorized'));

app.del('/user/:id', loadUser, andRestrictTo('admin'), function(req, res){
    res.send('Deleted user ' +;

Commonly used "stacks" of middleware can be passed as an array (applied recursively), which can be mixed and matched to any degree.

var a = [middleware1, middleware2]
  , b = [middleware3, middleware4]
  , all = [a, b];

app.get('/foo', a, function(){});
app.get('/bar', a, function(){});

app.get('/', a, middleware3, middleware4, function(){});
app.get('/', a, b, function(){});
app.get('/', all, function(){});

For this example in full, view the route middleware example in the repository.

HTTP Methods

We have seen app.get() a few times, however Express also exposes other familiar HTTP verbs in the same manor, such as, app.del(), etc.

A common example for POST usage, is when "submitting" a form. Below we simply set our form method to "post" in our html, and control will be given to the route we have defined below it.

 <form method="post" action="/">
     <input type="text" name="user[name]" />
     <input type="text" name="user[email]" />
     <input type="submit" value="Submit" />

By default Express does not know what to do with this request body, so we should add the bodyDecoder middleware, which will parse application/x-www-form-urlencoded request bodies and place the variables in req.body. We can do this by "using" the middleware as shown below:


Our route below will now have access to the req.body.user object which will contain the name and email properties when defined.'/', function(req, res){

When using methods such as PUT with a form, we can utilize a hidden input named _method, which can be used to alter the HTTP method. To do so we first need the methodOverride middleware, which should be placed below bodyDecoder so that it can utilize it's req.body containing the form values.


The reason that these are not always defaults, is simply because these are not required for Express to be fully functional. Depending on the needs of your application, you may not need these at all, your methods such as PUT and DELETE can still be accessed by clients which can use them directly, although methodOverride provides a great solution for forms. Below shows what the usage of PUT might look like:

<form method="post" action="/">
  <input type="hidden" name="_method" value="put" />
  <input type="text" name="user[name]" />
  <input type="text" name="user[email]" />
  <input type="submit" value="Submit" />    

app.put('/', function(){

Error Handling

Express provides the app.error() method which receives exceptions thrown within a route, or passed to next(err). Below is an example which serves different pages based on our ad-hoc NotFound exception:

function NotFound(msg){ = 'NotFound';, msg);
    Error.captureStackTrace(this, arguments.callee);

sys.inherits(NotFound, Error);

app.get('/404', function(req, res){
    throw new NotFound;

app.get('/500', function(req, res){
    throw new Error('keyboard cat!');

We can call app.error() several times as shown below. Here we check for an instanceof NotFound and show the 404 page, or we pass on to the next error handler.

Note that these handlers can be defined anywhere, as they will be placed below the route handlers on listen(). This allows for definition within configure() blocks so we can handle exceptions in different ways based on the environment.

app.error(function(err, req, res, next){
    if (err instanceof NotFound) {
    } else {

Here we assume all errors as 500 for the simplicity of this demo, however you can choose whatever you like

app.error(function(err, req, res){
    res.render('500.jade', {
       locals: {
           error: err

Our apps could also utilize the Connect errorHandler middleware to report on exceptions. For example if we wish to output exceptions in "development" mode to stderr we can use:

app.use(express.errorHandler({ dumpExceptions: true }));

Also during development we may want fancy html pages to show exceptions that are passed or thrown, so we can set showStack to true:

app.use(express.errorHandler({ showStack: true, dumpExceptions: true }));

The errorHandler middleware also responds with json if Accept: application/json is present, which is useful for developing apps that rely heavily on client-side JavaScript.

View Rendering

View filenames take the form NAME.ENGINE, where ENGINE is the name of the module that will be required. For example the view layout.ejs will tell the view system to require('ejs'), the module being loaded must export the method exports.render(str, options) to comply with Express, however app.register() can be used to map engines to file extensions, so that for example "foo.html" can be rendered by jade.

Below is an example using Haml.js to render index.html, and since we do not use layout: false the rendered contents of index.html will be passed as the body local variable in layout.haml.

app.get('/', function(req, res){
    res.render('index.haml', {
        locals: { title: 'My Site' }

The new view engine setting allows us to specify our default template engine, so for example when using Jade we could set:

app.set('view engine', 'jade');

Allowing us to render with:




When view engine is set, extensions are entirely optional, however we can still mix and match template engines:


Express also provides the view options setting, which is applied each time a view is rendered, so for example if you rarely use layouts you may set:

app.set('view options', {
    layout: false

Which can then be overridden within the res.render() call if need be:

res.render('myview.ejs', { layout: true });

When an alternate layout is required, we may also specify a path. For example if we have view engine set to jade and a file named ./views/mylayout.jade we can simply pass:

res.render('page', { layout: 'mylayout' });

Otherwise we must specify the extension:

res.render('page', { layout: 'mylayout.jade' });

These paths may also be absolute:

res.render('page', { layout: __dirname + '/../../mylayout.jade' });

A good example of this is specifying custom ejs opening and closing tags:

app.set('view options', {
    open: '{{',
    close: '}}'

View Partials

The Express view system has built-in support for partials and collections, which are sort of "mini" views representing a document fragment. For example rather than iterating in a view to display comments, we would use a partial with collection support:

partial('comment.haml', { collection: comments });

To make things even less verbose we can assume the extension as .haml when omitted, however if we wished we could use an ejs partial, within a haml view for example.

partial('comment', { collection: comments });

And once again even further, when rendering a collection we can simply pass an array, if no other options are desired:

partial('comment', comments);

When using the partial collection support a few "magic" variables are provided for free:

  • firstInCollection True if this is the first object
  • indexInCollection Index of the object in the collection
  • lastInCollection True if this is the last object
  • collectionLength Length of the collection

For documentation on altering the object name view res.partial().

Template Engines

Below are a few template engines commonly used with Express:

Session Support

Sessions support can be added by using Connect's session middleware. To do so we also need the cookieDecoder middleware place above it, which will parse and populate cookie data to req.cookies. The session middleware requires only a secret.

app.use(express.session({ secret: 'keyboard cat' }));

By default the session middleware uses the memory store bundled with Connect, however many implementations exist. For example connect-redis supplies a Redis session store and can be used as shown below:

var RedisStore = require('connect-redis');
app.use(express.session({ store: new RedisStore, secret: 'keyboard cat' }));

Now the req.session and req.sessionStore properties will be accessible to all routes and subsequent middleware. Properties on req.session are automatically saved on a response, so for example if we wish to shopping cart data:

var RedisStore = require('connect-redis');
app.use(express.session({ store: new RedisStore, secret: 'keyboard cat' }));'/add-to-cart', function(req, res){
  // Perhaps we posted several items with a form
  // (use the bodyDecoder() middleware for this)
  var items = req.body.items;
  req.session.items = items;

app.get('/add-to-cart', function(req, res){
  // When redirected back to GET /add-to-cart
  // we could check req.session.items && req.session.items.length
  // to print out a message
  if (req.session.items && req.session.items.length) {
    req.flash('info', 'You have %s items in your cart', req.session.items.length);

The req.session object also has methods such as Session#touch(), Session#destroy(), Session#regenerate() among others to maintain and manipulate sessions. For more information view the Connect Session documentation.

Migration Guide

Pre-beta Express developers may reference the Migration Guide to get up to speed on how to upgrade your application.

req.header(key[, defaultValue])

Get the case-insensitive request header key, with optional defaultValue:

req.header('Accept', '*/*');


Check if the Accept header is present, and includes the given type.

When the Accept header is not present true is returned. Otherwise the given type is matched by an exact match, and then subtypes. You may pass the subtype such as "html" which is then converted internally to "text/html" using the mime lookup table.

// Accept: text/html
// => true

// Accept: text/*; application/json
// => true

// => false

Check if the incoming request contains the Content-Type header field, and it contains the give mime type.

   // With Content-Type: text/html; charset=utf-8'html');'text/html');
   // => true

   // When Content-Type is application/json'json');'application/json');
   // => true'html');
   // => false

Ad-hoc callbacks can also be registered with Express, to perform assertions again the request, for example if we need an expressive way to check if our incoming request is an image, we can register "an image" callback:'an image', function(req){
      return 0 == req.headers['content-type'].indexOf('image');

Now within our route callbacks, we can use to to assert content types such as "image/jpeg", "image/png", etc.'/image/upload', function(req, res, next){
     if ('an image')) {
       // do something
     } else {

Keep in mind this method is not limited to checking Content-Type, you can perform any request assertion you wish.

Wildcard matches can also be made, simplifying our example above for "an image", by asserting the subtype only:'image/*');

We may also assert the type as shown below, which would return true for "application/json", and "text/json".'*/json');


Return the value of param name when present.

  • Checks route placeholders (req.params), ex: /user/:id
  • Checks query string params (req.query), ex: ?id=12
  • Checks urlencoded body params (req.body), ex: id=12

To utilize urlencoded request bodies, req.body should be an object. This can be done by using the express.bodyDecoder middleware.

req.flash(type[, msg])

Queue flash msg of the given type. These messages are stored in the session (thus requiring the session middleware), enabling them to span one or more requests before flushing.

req.flash('info', 'email sent');
req.flash('error', 'email delivery failed');
req.flash('info', 'email re-sent');
// => 2

// => ['email sent', 'email re-sent']

// => []

// => { error: ['email delivery failed'], info: [] }

Flash notification message may also utilize formatters, by default only the %s string formatter is available:

req.flash('info', 'email delivery to _%s_ from _%s_ failed.', toUser, fromUser);

For HTML flash message check out the express-contrib library.


Also aliased as req.xhr, this getter checks the X-Requested-With header to see if it was issued by an XMLHttpRequest:


res.header(key[, val])

Get or set the response header key.

// => undefined

res.header('Content-Length', 123);
// => 123

// => 123


Sets the Content-Type response header to the given type.

  var filename = 'path/to/image.png';
  // res.headers['Content-Type'] is now "image/png"


Sets the Content-Disposition response header to "attachment", with optional filename.



Used by to transfer an arbitrary file.


This method accepts a callback which when given will be called on an exception, as well as when the transfer has completed. When a callback is not given, and the file has not been streamed, next(err) will be called on an exception.

res.sendfile(path, function(err, path){
  if (err) {
    // handle the error
  } else {
    console.log('transferred %s', path);

When the filesize exceeds the stream threshold (defaulting to 32k), the file will be streamed using fs.ReadStream and sys.pump().[, filename])

Transfer the given file as an attachment with optional alternative filename.'path/to/image.png');'path/to/image.png', 'foo.png');

This is equivalent to:


res.send(body|status[, headers|status[, status]])

The res.send() method is a high level response utility allowing you to pass objects to respond with json, strings for html, arbitrary _Buffer_s or numbers for status code based responses. The following are all valid uses:

 res.send(); // 204
 res.send(new Buffer('wahoo'));
 res.send({ some: 'json' });
 res.send('<p>some html</p>');
 res.send('Sorry, cant find that', 404);
 res.send('text', { 'Content-Type': 'text/plain' }, 201);

By default the Content-Type response header is set, however if explicitly assigned through res.send() or previously with res.header() or res.contentType() it will not be set again.

res.redirect(url[, status])

Redirect to the given url with a default response status of 302.

res.redirect('/', 301);

Express supports "redirect mapping", which by default provides home, and back. The back map checks the Referrer and Referer headers, while home utilizes the "home" setting and defaults to "/".

res.cookie(name, val[, options])

Sets the given cookie name to val, with options such as "httpOnly: true", "expires", "secure" etc.

// "Remember me" for 15 minutes 
res.cookie('rememberme', 'yes', { expires: new Date( + 900000), httpOnly: true });

To parse incoming Cookie headers, use the cookieDecoder middleware, which provides the req.cookies object:


app.get('/', function(req, res){
    // use req.cookies.rememberme


Clear cookie name by setting "expires" far in the past.


res.render(view[, options[, fn]])

Render view with the given options and optional callback fn. When a callback function is given a response will not be made automatically, however otherwise a response of 200 and text/html is given.

Most engines accept one or more of the following options, both haml and jade accept all:

  • scope Template evaluation context (value of this)
  • locals Object containing local variables
  • debug Output debugging information
  • status Response status code, defaults to 200
  • headers Response headers object

res.partial(view[, options])

Render view partial with the given options. This method is always available to the view as a local variable.

  • object the object named by as or derived from the view name
  • as Variable name for each collection or object value, defaults to the view name.

    • as: 'something' will add the something local variable
    • as: this will use the collection value as the template context
    • as: global will merge the collection value's properties with locals
  • collection Array of objects, the name is derived from the view name itself. For example video.html will have a object video available to it.

The following are equivalent, and the name of collection value when passed to the partial will be movie as derived from the name.

partial('theatre/movie.jade', { collection: movies });
partial('theatre/movie.jade', movies);
partial('movie.jade', { collection: movies });
partial('movie.jade', movies);
partial('movie', movies);
// In view: movie.director

To change the local from movie to video we can use the "as" option:

partial('movie', { collection: movies, as: 'video' });
// In view: video.director

Also we can make our movie the value of this within our view so that instead of movie.director we could use this.director.

partial('movie', { collection: movies, as: this });
// In view: this.director

Another alternative is to "explode" the properties of the collection item into pseudo globals (local variables) by using as: global, which again is syntactic sugar:

partial('movie', { collection: movies, as: global });
// In view: director

This same logic applies to a single partial object usage:

partial('movie', { object: movie, as: this });
// In view: this.director

partial('movie', { object: movie, as: global });
// In view: director

partial('movie', { object: movie, as: 'video' });
// In view: video.director

partial('movie', { object: movie });
// In view: movie.director

When a non-collection (does not have .length) is passed as the second argument, it is assumed to be the object, after which the object's local variable name is derived from the view name:

partial('movie', movie);
// => In view: movie.director

app.set(name[, val])

Apply an application level setting name to val, or get the value of name when val is not present:

app.set('views', __dirname + '/views');
// => ...path...

Alternatively you may simply access the settings via app.settings:

// => ...path...


Enable the given setting name:

app.enable('some arbitrary setting');
app.set('some arbitrary setting');
// => true


Disable the given setting name:

app.disable('some setting');
app.set('some setting');
// => false

app.configure(env|function[, function])

Define a callback function for the given env (or all environments) with callback function:

    // executed for each env

app.configure('development', function(){
    // executed for 'development' only

app.redirect(name, val)

For use with res.redirect() we can map redirects at the application level as shown below:

app.redirect('google', '');

Now in a route we may call:


We may also map dynamic redirects:

app.redirect('comments', function(req, res){
    return '/post/' + + '/comments';

So now we may do the following, and the redirect will dynamically adjust to the context of the request. If we called this route with GET /post/12 our redirect Location would be /post/12/comments.

app.get('/post/:id', function(req, res){


Adds an error handler function which will receive the exception as the first parameter as shown below. Note that we may set several error handlers by making several calls to this method, however the handler should call next(err) if it does not wish to deal with the exception:

app.error(function(err, req, res, next){
    res.send(err.message, 500);


Registers static view helpers.

    name: function(first, last){ return first + ', ' + last },
    firstName: 'tj',
    lastName: 'holowaychuk'

Our view could now utilize the firstName and lastName variables, as well as the name() function exposed.

<%= name(firstName, lastName) %>


Registers dynamic view helpers. Dynamic view helpers are simply functions which accept req, res, and are evaluated against the Server instance before a view is rendered. The return value of this function becomes the local variable it is associated with.

    session: function(req, res){
        return req.session;

All views would now have session available so that session data can be accessed via etc:

<%= %>


Assign a callback fn which is called when this Server is passed to Server#use().

var app = express.createServer(),
    blog = express.createServer();

    // parent is app
    // "this" is blog


app.register(ext, exports)

Register the given template engine exports as ext. For example we may wish to map ".html" files to jade:

 app.register('.html', require('jade'));

This is also useful for libraries that may not match extensions correctly. For example my haml.js library is installed from npm as "hamljs" so instead of layout.hamljs, we can register the engine as ".haml":

 app.register('.haml', require('haml-js'));

For engines that do not comply with the Express specification, we can also wrap their api this way.

 app.register('.foo', {
     render: function(str, options) {
         // perhaps their api is
         // return foo.toHTML(str, options);

app.listen([port[, host]])

Bind the app server to the given port, which defaults to 3000. When host is omitted all connections will be accepted via INADDR_ANY.

app.listen(3000, 'n.n.n.n');

The port argument may also be a string representing the path to a unix domain socket:


Then try it out:

$ telnet /tmp/express.sock
GET / HTTP/1.1

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 11

Hello World
Jump to Line
Something went wrong with that request. Please try again.