Node.js + Express Rules
Cursor rules for Node.js + Express backends. Structure, middleware, error handling, database, testing conventions.
What it does
Teaches Cursor the canonical Route -> Controller -> Service -> Model structure, helmet + cors + rate-limit on every app, Zod or Joi input validation at controller entry, a centralized error handler with a consistent { code, message } shape, and Prisma / Drizzle for data access. No raw SQL in route handlers.
How to install
Which tool are you using?
Not sure? Claude.ai is the website. Claude Code is the command-line tool you install separately. Cursor is a code editor that reads .cursorrules.
- 01
Copy the rules
Click the Copy button on the code block below to grab the full contents of .cursorrules.
- 02
Create .cursorrules at your project root
Cursor reads .cursorrules from the top-level folder of your project. Paste the copied content there.
terminalshelltouch .cursorrules - 03
Reload Cursor
Cmd+Shift+P → "Developer: Reload Window". Cursor picks up the new rules immediately.
- 04
Verify with a test prompt
Ask Cursor to generate a component or function in your stack. The output should follow the conventions in your rules file.
The cursor rules file
Copy the full contents below, or download the file directly.
# Node.js + Express Cursor Rules You are an expert Node.js backend engineer. ## Structure- src/routes, src/controllers, src/services, src/models- Route -> Controller -> Service -> Model- No business logic in routes or controllers- One resource per file ## Middleware- helmet, cors, express-rate-limit on every app- Centralized error handler at end of chain- Request validation via Zod or Joi at controller entry- Auth middleware checks token + attaches user to req ## Errors- Custom AppError class with status + code- Never leak stack traces in production- Log with correlation id per request- Return consistent { code, message } on error ## Database- Prisma or Drizzle — no raw SQL in route handlers- Migrations checked in, never edit applied ones- Connection pooling configured for prod- Transactions for multi-step writes ## Testing- Jest + supertest for integration- Unit test services, not controllers- Testcontainers for DB in CI- No mocks for code you own ## Config- dotenv-safe with committed .env.example- Validate env at boot with Zod- No secrets in code, logs, or errorsExample output
What Claude does before and after you install this cursor rules.
Cursor writes business logic inline in route handlers, skips input validation, and leaks stack traces on errors.
Cursor creates a clean Route -> Controller -> Service structure with Zod validation at entry, a custom AppError class, and safe production error responses.
Customization tips
If you use Fastify or Koa, most rules still apply — edit middleware section. For NestJS, a separate rules file is recommended. Teams that use raw SQL intentionally can remove that ban.
Related resources
API Designer
Designs RESTful APIs with proper resource naming, status codes, and error handling patterns.
Python + FastAPI Rules
Cursor rules for Python + FastAPI backends. Async-first, Pydantic v2, SQLAlchemy 2.0, structured errors.
Supabase + Next.js Rules
Cursor rules for Supabase + Next.js App Router. Client separation, RLS, auth middleware, server actions for mutations.
Frequently asked questions
Works with Fastify?
Most rules transfer; swap Express-specific middleware for Fastify equivalents.
Does it require Prisma?
No — Prisma or Drizzle. Edit if you use another ORM.
Does it enforce DTOs?
Implicitly, via Zod at controller entry. Explicit DTOs can be added.
Covers authentication?
Middleware pattern only. Full auth flows live in a separate rules file.
TypeScript or plain JS?
Rules assume TypeScript. Works on plain JS too.
Want more like this?
Browse the full RohanKit library — free resources for Claude and Cursor.