diff --git a/http/misconfiguration/node-express-dev-environment.yaml b/http/misconfiguration/node-express-dev-environment.yaml
new file mode 100644
index 0000000000..dc51c4bf26
--- /dev/null
+++ b/http/misconfiguration/node-express-dev-environment.yaml
@@ -0,0 +1,28 @@
+id: node-express-dev-environment
+info:
+  name: Node.js Express NODE_ENV Development Mode - Detection
+  author: FLX
+  severity: medium
+  reference:
+    - https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/express-development-mode-is-enabled/
+    - https://www.synopsys.com/blogs/software-security/nodejs-mean-stack-vulnerabilities.html
+  description: |
+    The Node.js application runs in development mode, which can expose sensitive information, such as source code and secrets, depending on the application. 
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: "X-Powered-By: Express"
+  tags: node,nodejs,express,misconfig,development,environment
+
+http:
+  - raw:
+      - |
+        GET {{BaseURL}} HTTP/1.1
+        Content-Type: application/json
+        Connection: close
+
+        t
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(tolower(all_headers), 'x-powered-by: express') && status_code==400 && contains(body, 'SyntaxError')"