undefined | Better HN

0 pointsmegaman8214y ago0 comments

Express isn't really like Spring, Rails or Django. Express is very simple and may be good for someone learning the basics, but how is a novice web developer supposed to know what is missing? There concerns from security, authorization, sessions, and many more that Express doesn't handle out-of-the-box.

0 comments

2 comments · 2 top-level

confidantlake4y ago

When I said rails was nice for project setup, it was things like what you mentioned. Definitely easier to do those things in rails.

In express there are packages for those things, ie https://www.npmjs.com/package/express-session. Agree it would have been nice as part of the express library.

mjlawson4y ago

> ... how is a novice web developer supposed to know what is missing?

That is a great question. Is it the job of the tooling to prevent a novice developer from shooting themselves in their foot? Do we need higher-level abstractions in our frameworks that are analogous to memory safety in programming languages? Perhaps.

Alternatively, I don't think that security practices are particularly hidden. Anyone who's used the web knows has used a login form. I would give most novice developers the benefit of the doubt that they're going to be curious and look into that.

I would argue that it is, in part, their responsibility to learn these things. It's our responsibility perhaps as stewards of the secure web to teach and enforce best practices. I don't think baking in these best practices into frameworks does these developers any favors, except that it allows them to focus on something else.

j / k navigate · click thread line to collapse