Node js: Does res.locals get sent to client?

Question

In Express, when I send a response back to the client, does the data in res.locals get sent back to the client?

I do not want that to be the case as I am storing sensitive data in res.locals.

Answer 1

res.locals is not sent to the client.

The purpose of res.locals is to create a standard place for server-side middleware to put data that is relevant to constructing the response. This data is ONLY available server-side and is NOT automatically available to the client and is not sent with the response unless your code or template explicitly inserts some of that data into the web page.

The classic use for res.locals is when rendering templates because most template rendering engines will look in res.locals for properties that are referenced in the template. So, your server-side code would set up some data in res.locals (usually standard data that applies to lots of templates) and then somewhere in a route handler, you call res.render('sometemplate', ...) and the template engine will look in res.locals for any variables that are specified in the template that were not directly passed as an argument to res.render(). For example, some middleware might check to see if the user is logged in or not, set that state in res.locals and then the template can modify it's rendering based on whether they are logged in or not.