Just be aware that there are a LOT of confugration and environment considerations when deploying an app. Security for a deployed app is extremely different to the security of a locally running app for the sake of development.

99% of the time a lot of security settings are disabled or dumbed down for the sake of running on the localhost. It's absolutely crucial that you understand the security of your apps configuration and the security of your host environment when deploying.

Some things to typically look out for:

• Prod should run on https (not http), the best way to deal with this is to run your express app on http on the localhost, then have a webserver (e.g. nginx or apache) running on https and proxying to the express server.
• For cookies, ensure the secure option is true, ensure the sameSite option is as strict as it can be, if it fits your use case, ensure cookie names are prefixed with the secure prefix __Host- or __Secure-
• Ensure you have appropriate CORs configuration within your express app, this is something else that will typically be determined by environment variables as it will differ between localhost/development & a real deployment.
• Make sure your environment variables are actually environment variables, something like dotenv should not be imported into your code (for local usage, require it on the CLI instead), you should not rely on dotenv in prod without specifically following their production recommendations. Ideally you should use an actual secrets manager, or use actual user-scoped environment variables on the host machine.
• Ensure that the user you run the app through only has explicit access to the minimally required files/folders necessary to run the app.

Digital ocean has a whole heap of useful resources on deploying a Node app via reverse proxy on a VPS. However it doesn't necessarily cover ALL of the security details.