Secure EJS MVC starter for a new web application.

Secure EJS views, Mongo-ready services, and production-focused defaults.

Architecture

A strict controller-to-view contract keeps templates clean.

Controllers only hand sanitized view models to EJS. Site shell data comes through a service layer, keeping persistence concerns out of route handlers and views.

Middleware stack

Helmet, CORS allow-listing, rate limiting, compression, cookie signing, and CSRF protection are applied centrally.

Fail-soft development

The app can run without Mongo locally so the shell remains usable during early UI work.

Back home

Fail-hard production

Production startup rejects missing Mongo or cookie-secret configuration instead of masking errors.

See config