NestJS Best Practices
Comprehensive guide for building production-ready NestJS applications. Contains 26 rules across 13 categories, covering security, architecture, performance, validation, database operations, authentication, and advanced patterns.
When to Apply
Reference these guidelines when:
- Writing new NestJS modules, controllers, or services
- Implementing authentication and authorization
- Setting up Prisma database operations
- Creating DTOs and validation pipes
- Adding middleware or guards
- Implementing error handling and logging
- Reviewing NestJS code for best practices
- Refactoring existing NestJS applications
Rule Categories by Priority
| Priority | Category | Impact | Prefix |
|---|---|---|---|
| 1 | Security | CRITICAL | security- |
| 2 | Performance | HIGH | performance- |
| 3 | Architecture | HIGH | architecture- |
| 4 | Error Handling | HIGH | error-handling- |
| 5 | Validation | CRITICAL | validation- |
| 6 | Database | CRITICAL | database- |
| 7 | Authentication | CRITICAL | auth- |
| 8 | API | MEDIUM | api- |
| 9 | Configuration | CRITICAL | config- |
| 10 | Testing | MEDIUM | testing- |
| 11 | Deployment | MEDIUM | deployment- |
| 12 | Middleware | MEDIUM | middleware- |
| 13 | Advanced | HIGH | advanced- |
Quick Reference
1. Security (CRITICAL)
security-cors-whitelist- Enable CORS with whitelist origins onlysecurity-dependency-audit- Regular dependency security audits with bunsecurity-helmet-headers- Use Helmet middleware for security headers
2. Performance (HIGH)
performance-redis-caching- Cache frequently used data with Redis
3. Architecture (HIGH)
architecture-short-functions- Keep functions short and single purposearchitecture-feature-modules- Organize code by feature modulesarchitecture-no-dead-code- Remove unused code and dependenciesarchitecture-thin-controllers- Single responsibility - separate controller and servicearchitecture-naming-conventions- Use consistent naming conventionsarchitecture-event-driven- Use event-driven architecture for loose coupling
4. Error Handling (HIGH)
error-handling-exception-filter- Enable global exception filtererror-handling-structured-logging- Implement proper logging strategy
5. Validation (CRITICAL)
validation-custom-pipes- Create custom pipes for query parameter transformationvalidation-dto-validation- Validate all inputs with DTOs and ValidationPipe
6. Database (CRITICAL)
database-parameterized-queries- Use parameterized queries to prevent SQL injection (Prisma v7)
7. Authentication (CRITICAL)
auth-password-hashing- Use Bun's built-in Crypto for secure password hashing (argon2/bcrypt)auth-route-guards- Use guards for route protection
8. API (MEDIUM)
api-cursor-pagination- Use cursor-based pagination for large datasetsapi-swagger-docs- Generate Swagger/OpenAPI documentation
9. Configuration (CRITICAL)
config-no-secrets- Never hardcode secrets - use environment variables
10. Testing (MEDIUM)
testing-unit-tests- Write comprehensive unit tests
11. Deployment (MEDIUM)
deployment-health-checks- Implement health check endpoints
12. Middleware (MEDIUM)
middleware-compression- Enable compression middleware for responsesmiddleware-rate-limiting- Implement rate limiting for all routes
13. Advanced (HIGH)
advanced-lazy-loading- Lazy load non-critical modulesadvanced-scheduled-tasks- Use @nestjs/schedule for cron jobs and scheduled tasks
How to Use
Read individual rule files for detailed explanations and code examples:
rules/security-cors-whitelist.md
rules/auth-route-guards.md
rules/validation-dto-validation.md
rules/_sections.md
Each rule file contains:
- "For AI Agents" section with step-by-step implementation instructions
- Quick Reference Checklist for code review
- ❌ WRONG vs ✅ CORRECT patterns with file locations
- Installation commands using
bun add - Comprehensive code examples for NestJS + Prisma
- Security and performance considerations
Key Patterns
Agent-Friendly Format
All rules are optimized for AI agents with:
- Explicit file locations (e.g.,
src/users/users.service.ts) - Step-by-step "For AI Agents" sections
- ✅ CORRECT vs ❌ WRONG pattern comparisons
- Quick Reference Checklists
- Clear installation instructions
Technology Stack
- Framework: NestJS with Express/Fastify adapter
- Runtime: Bun (native crypto, scheduling)
- Database: Prisma v7 (sql template tag, interactive transactions)
- Validation: class-validator + class-transformer
- Security: Helmet, CORS whitelisting, rate limiting
- Scheduling: @nestjs/schedule with cron/interval decorators
- Events: EventEmitter2 for loose coupling
Full Compiled Document
For the complete guide with all rules expanded: AGENTS.md
Build Commands
cd packages/nestjs-best-practices-build
bun install
bun run build # Generate AGENTS.md
bun run validate # Validate rule files
bun run dev # Build and validate
Statistics
- 13 sections covering all aspects of NestJS development
- 26 rules prioritized by impact (CRITICAL, HIGH, MEDIUM)
- Prisma v7 compatible database patterns
- Bun runtime native features (Crypto.hashPassword, @nestjs/schedule)
- Agent-optimized for automated code generation and review