Easy. Uninstall Atom. Install WebStorm instead.

But Node JS is session-less connection. Plugin session or any kind of its seem turning back to PHP. I would not like going back to that road. Is there any kind of storage I can store any kind of token for appending it later on in the http api call header.

Thank you for your reply. I plan to use jwt token to clarify every api request. How can I not store jwt in client browser but have the ability to use it? any suggestion?

I am using express-rate-limit from npm. It seem to work well.

Thank you for your suggestion. Firstly, your advice on using proxy with NGINX seem more comprehensive than my approach. I am currently using express-rate-limit from npm for limiting request per IP address. It seem to work but I will have a look at using proxy. Secondly, by saying unintended API call, I mean CSRF/XSS attack. I store sensitive variables such as jwt token, user's id, user's email ... in localStorage (which is popular among NodeJS developers) and in Redux. Is there any possibility that hackers could access those variables which are stored in Redux and in localStorage for illegal purposes?

Here is my repo to my project https://github.com/lordknight1904/luanan I don't think the idea you gave me would solve my problem. I know I should make routes as a function, but this is server side rendering. Because of that, server.js have function called match(), which take routes as the first parameter as an object, not a function. I don't know I have pinned the problem right or understand it completely. Please help me!

I am using FireBase with this.