diff --git a/http/misconfiguration/node-express-dev-environment.yaml b/http/misconfiguration/node-express-dev-env.yaml
similarity index 73%
rename from http/misconfiguration/node-express-dev-environment.yaml
rename to http/misconfiguration/node-express-dev-env.yaml
index 7bcf68eb4d..3050fad10c 100644
--- a/http/misconfiguration/node-express-dev-environment.yaml
+++ b/http/misconfiguration/node-express-dev-env.yaml
@@ -1,6 +1,7 @@
-id: node-express-dev-environment
+id: node-express-dev-env
+
 info:
-  name: Node.js Express NODE_ENV Development Mode - Detection
+  name: Node.js Express NODE_ENV Development Mode
   author: FLX
   severity: medium
   reference:
@@ -9,10 +10,10 @@ info:
   description: |
     The Node.js application runs in development mode, which can expose sensitive information, such as source code and secrets, depending on the application.
   metadata:
+    max-request: 2
     verified: true
-    max-request: 1
     shodan-query: "X-Powered-By: Express"
-  tags: node,nodejs,express,misconfig,development,environment
+  tags: nodejs,express,misconfig,development,environment,trace
 
 flow: http(1) && http(2)
 
@@ -29,12 +30,17 @@ http:
 
   - raw:
       - |
-        GET {{BaseURL}} HTTP/1.1
+        GET / HTTP/1.1
+        Host: {{Hostname}}
         Content-Type: application/json
         Connection: close
 
         t
+
     matchers:
       - type: dsl
         dsl:
-          - "contains(tolower(all_headers), 'x-powered-by: express') && status_code==400 && contains(body, 'SyntaxError')"
+          - "status_code==400"
+          - "contains(body, 'SyntaxError: Unexpected token')"
+          - "contains(tolower(all_headers), 'x-powered-by: express')"
+        condition: and