Blog

When you return a user entity from a NestJS controller, it serializes every property — including the ones you never meant to expose. Passwords, refresh tokens, and internal flags can quietly leak.

The fix is the @Exclude() decorator from class-transformer. Wrap your entity, mark the sensitive fields, and apply the ClassSerializerInterceptor globally:

import { Exclude } from 'class-transformer';

export class User {
  id: string;
  email: string;
  @Exclude() password: string;
  @Exclude() refreshToken?: string;
}

Then in main.ts add the interceptor so every response runs through it. You now ship by default secure — adding a new sensitive field is a one-decorator job, not a one-incident postmortem.

GET retrieves. POST creates. PUT replaces. PATCH partially updates. DELETE removes. HEAD returns headers only. OPTIONS describes what's allowed. The semantic difference matters more than the wire format.

NestJS makes each one a decorator: @Get(), @Post(), @Put(), @Patch(), @Delete(), @Head(), @Options(). Pair them with DTOs and validation pipes, and you have a self-documenting contract.

The mistake I see most often: using POST for everything because 'it works.' Caches, retries, idempotency — all of these depend on you picking the right verb. Get this right and your API ages well.

Indian B2B doesn't run on Salesforce. It runs on WhatsApp, GST invoices, and IndiaMART leads. Build for that reality and you win.

Three things SalesTub got right: a Hindi/Tamil-friendly UI, native WhatsApp threading attached to deals, and GST-ready invoicing baked into the pipeline. The CRM disappears — what's left is a sales motion that actually fits.

Lesson: localize the workflow, not just the language. Global tools wedged into Indian operations always lose to ones designed for the way work actually happens here.