DEV Community

Geoffrey Kim
Geoffrey Kim

Posted on

Understanding res.redirect and res.render in Express.js: Usage and Security Measures

res.redirect and res.render are two ways to handle responses in Express.js.


The res.redirect method sends a response to the client instructing it to redirect to a different URL. The client sends a new request to the specified URL, and the server responds after processing this request. This method is often used when you want to move the user to another page after completing actions such as login, sign up, form submission, etc.

Enter fullscreen mode Exit fullscreen mode


The res.render method is used to generate HTML on the server and send it to the client. It mainly generates HTML code dynamically using a template engine (e.g., EJS, Pug, Handlebars, etc.) and sends it to the client by rendering the template file. This method constructs the page on the server side and sends it, rather than changing the content of the page on the client side.

 res.render('view', { data: data });
Enter fullscreen mode Exit fullscreen mode

In summary, res.redirect instructs the client to redirect to another URL, while res.render generates HTML on the server and delivers it to the client.


The following are security issues to be careful about when using the res.redirect and res.render methods:

User Input Handling

When receiving input from a user, you should use appropriate processing such as verification, normalization, and encoding, rather than using the data entered by the user as is. To prevent attacks such as SQL injection, XSS (Cross-site Scripting), etc., you need to accurately filter and encode user input.

View Path

When using the res.render method, you should be careful not to include user input in the view path. This can be a vulnerability that attackers can use to access the file system to obtain sensitive information or damage the system.

Redirect Path

When using the res.redirect method, you should verify and filter before including user input in the redirect path. Otherwise, a malicious user could perform an Open Redirector attack. These attacks can redirect the user to other dangerous websites, exposing personal information or inducing the user to perform actions the attacker wants.

Exposure of Sensitive Data

When rendering a view using res.render, be careful not to expose sensitive information. For example, do not send sensitive data such as user passwords, personal information, API keys, etc. to the client.

Content Security Policy (CSP)

It is a good idea to use a Content Security Policy (CSP) to enhance the security of your web application. CSP restricts the origin of content loaded on a web page, reducing vulnerabilities such as XSS attacks.

By applying these security measures, you can increase the reliability and stability of your application.

Official Documentation (Original)

res.redirect([status,] path)

Redirects to a URL derived from the specified path. The status corresponds to a positive integer for HTTP status codes, and the default value if unspecified is "302 Found".

res.redirect(301, '')
Enter fullscreen mode Exit fullscreen mode

Redirects can be complete URLs for redirecting to other sites.

Enter fullscreen mode Exit fullscreen mode

Redirects can be relative to the root of the host name. For example, if the application is at, it redirects to the URL of

Enter fullscreen mode Exit fullscreen mode


can be relative to the current URL. For example, from (note the trailing slash), the following redirects to the URL of

Enter fullscreen mode Exit fullscreen mode

If you redirect from to post/new (no trailing slash), it redirects to

If the above behavior is confusing, it's easier to understand if you think of path segments as directories (including the trailing slash) and files.

Path-relative redirects are also possible. From, the following redirects to

Enter fullscreen mode Exit fullscreen mode

Back redirects send the request back to the referer. The default when no referer is present is /.

Enter fullscreen mode Exit fullscreen mode

res.render(view [, locals] [, callback])

Renders the view and sends the rendered HTML string to the client. Optional parameters:

  • locals are properties of an object that define local variables for the view.
  • callback is a callback function. If provided, this method returns any possible errors and the rendered string, but it does not automatically respond. If an error occurs, the method internally calls next(err).

The view argument is a string that is the file path of the view file to render. This can be an absolute path or a path relative to the views setting. If the path does not include a file extension, the view engine setting determines the file extension. If the path includes a file extension, Express loads the specified template engine's module (through require()) and uses the loaded module's __express function to render.

For more information, refer to Using template engines with Express.

Note: The view argument performs file system operations, so for security reasons, it should not include end-user input.

The local variable cache enables view caching. To cache views during development, set this to true. By default, view caching is enabled in production.

// Send the rendered view to the client

// If a callback is specified, the rendered HTML string must be explicitly sent
res.render('index', function (err, html) {

// Pass local variables to the view
res.render('user', { name: 'Tobi' }, function (err, html) {
  // ...
Enter fullscreen mode Exit fullscreen mode

Top comments (0)