diff --git a/app/templates/server/api/thing/thing.controller.js b/app/templates/server/api/thing/thing.controller.js
index ba84d6fc9..aa3fffeef 100644
--- a/app/templates/server/api/thing/thing.controller.js
+++ b/app/templates/server/api/thing/thing.controller.js
@@ -37,7 +37,7 @@ exports.index = function(req, res) {<% if (!filters.mongoose) { %>
   ]);<% } %><% if (filters.mongoose) { %>
   Thing.find(function (err, things) {
     if(err) { return handleError(res, err); }
-    return res.json(200, things);
+    return res.status(200).json(things);
   });<% } %>
 };<% if (filters.mongoose) { %>
 
@@ -45,7 +45,7 @@ exports.index = function(req, res) {<% if (!filters.mongoose) { %>
 exports.show = function(req, res) {
   Thing.findById(req.params.id, function (err, thing) {
     if(err) { return handleError(res, err); }
-    if(!thing) { return res.send(404); }
+    if(!thing) { return res.status(404).end(); }
     return res.json(thing);
   });
 };
@@ -54,7 +54,7 @@ exports.show = function(req, res) {
 exports.create = function(req, res) {
   Thing.create(req.body, function(err, thing) {
     if(err) { return handleError(res, err); }
-    return res.json(201, thing);
+    return res.status(201).json(thing);
   });
 };
 
@@ -63,11 +63,11 @@ exports.update = function(req, res) {
   if(req.body._id) { delete req.body._id; }
   Thing.findById(req.params.id, function (err, thing) {
     if (err) { return handleError(res, err); }
-    if(!thing) { return res.send(404); }
+    if(!thing) { return res.status(404).end(); }
     var updated = _.merge(thing, req.body);
     updated.save(function (err) {
       if (err) { return handleError(res, err); }
-      return res.json(200, thing);
+      return res.status(200).json(thing);
     });
   });
 };
@@ -76,14 +76,14 @@ exports.update = function(req, res) {
 exports.destroy = function(req, res) {
   Thing.findById(req.params.id, function (err, thing) {
     if(err) { return handleError(res, err); }
-    if(!thing) { return res.send(404); }
+    if(!thing) { return res.status(404).end(); }
     thing.remove(function(err) {
       if(err) { return handleError(res, err); }
-      return res.send(204);
+      return res.status(204).end();
     });
   });
 };
 
 function handleError(res, err) {
-  return res.send(500, err);
-}<% } %>
\ No newline at end of file
+  return res.status(500).json(err);
+}<% } %>
diff --git a/app/templates/server/api/user(auth)/user.controller.js b/app/templates/server/api/user(auth)/user.controller.js
index f4cd10c29..5ec88fbf3 100644
--- a/app/templates/server/api/user(auth)/user.controller.js
+++ b/app/templates/server/api/user(auth)/user.controller.js
@@ -2,11 +2,12 @@
 
 var User = require('./user.model');
 var passport = require('passport');
+var mongoose = require('mongoose');
 var config = require('../../config/environment');
 var jwt = require('jsonwebtoken');
 
 var validationError = function(res, err) {
-  return res.json(422, err);
+  return res.status(422).json(err);
 };
 
 /**
@@ -15,15 +16,15 @@ var validationError = function(res, err) {
  */
 exports.index = function(req, res) {
   User.find({}, '-salt -hashedPassword', function (err, users) {
-    if(err) return res.send(500, err);
-    res.json(200, users);
+    if(err) return res.status(500).json(err);
+    res.status(200).json(users);
   });
 };
 
 /**
  * Creates a new user
  */
-exports.create = function (req, res, next) {
+exports.create = function (req, res) {
   var newUser = new User(req.body);
   newUser.provider = 'local';
   newUser.role = 'user';
@@ -40,9 +41,14 @@ exports.create = function (req, res, next) {
 exports.show = function (req, res, next) {
   var userId = req.params.id;
 
+  // If the ID is not a valid mongoose ObjectID, return 404
+  if(!mongoose.Types.ObjectId.isValid(userId)) {
+    return res.status(404).end();
+  }
+
   User.findById(userId, function (err, user) {
     if (err) return next(err);
-    if (!user) return res.send(401);
+    if (!user) return res.status(401).end();
     res.json(user.profile);
   });
 };
@@ -52,16 +58,20 @@ exports.show = function (req, res, next) {
  * restriction: 'admin'
  */
 exports.destroy = function(req, res) {
+  // If the ID is not a valid mongoose ObjectID, return 404
+  if(!mongoose.Types.ObjectId.isValid(req.params.id)) {
+    return res.status(404).end();
+  }
   User.findByIdAndRemove(req.params.id, function(err, user) {
-    if(err) return res.send(500, err);
-    return res.send(204);
+    if(err) return res.status(500).json(err);
+    return res.status(204).end();
   });
 };
 
 /**
  * Change a users password
  */
-exports.changePassword = function(req, res, next) {
+exports.changePassword = function(req, res) {
   var userId = req.user._id;
   var oldPass = String(req.body.oldPassword);
   var newPass = String(req.body.newPassword);
@@ -71,10 +81,10 @@ exports.changePassword = function(req, res, next) {
       user.password = newPass;
       user.save(function(err) {
         if (err) return validationError(res, err);
-        res.send(200);
+        res.status(200).end();
       });
     } else {
-      res.send(403);
+      res.status(403).end();
     }
   });
 };
@@ -88,14 +98,14 @@ exports.me = function(req, res, next) {
     _id: userId
   }, '-salt -hashedPassword', function(err, user) { // don't ever give out the password or salt
     if (err) return next(err);
-    if (!user) return res.json(401);
-    res.json(user);
+    if (!user) return res.status(401).end();
+    res.status(200).json(user);
   });
 };
 
 /**
  * Authentication callback
  */
-exports.authCallback = function(req, res, next) {
+exports.authCallback = function(req, res) {
   res.redirect('/');
 };
diff --git a/app/templates/server/auth(auth)/auth.service.js b/app/templates/server/auth(auth)/auth.service.js
index 38ec34302..35218d33d 100644
--- a/app/templates/server/auth(auth)/auth.service.js
+++ b/app/templates/server/auth(auth)/auth.service.js
@@ -27,7 +27,7 @@ function isAuthenticated() {
     .use(function(req, res, next) {
       User.findById(req.user._id, function (err, user) {
         if (err) return next(err);
-        if (!user) return res.send(401);
+        if (!user) return res.status(401).end();
 
         req.user = user;
         next();
@@ -48,7 +48,7 @@ function hasRole(roleRequired) {
         next();
       }
       else {
-        res.send(403);
+        res.status(403).end();
       }
     });
 }
@@ -73,4 +73,4 @@ function setTokenCookie(req, res) {
 exports.isAuthenticated = isAuthenticated;
 exports.hasRole = hasRole;
 exports.signToken = signToken;
-exports.setTokenCookie = setTokenCookie;
\ No newline at end of file
+exports.setTokenCookie = setTokenCookie;
diff --git a/app/templates/server/components/errors/index.js b/app/templates/server/components/errors/index.js
index 4c5a57c99..30965fc23 100644
--- a/app/templates/server/components/errors/index.js
+++ b/app/templates/server/components/errors/index.js
@@ -13,7 +13,7 @@ module.exports[404] = function pageNotFound(req, res) {
 
   res.status(result.status);
   res.render(viewFilePath, function (err) {
-    if (err) { return res.json(result, result.status); }
+    if (err) { return res.status(result.status).json(result); }
 
     res.render(viewFilePath);
   });
diff --git a/test/fixtures/package.json b/test/fixtures/package.json
index 856e4fcc2..3d3093bc3 100644
--- a/test/fixtures/package.json
+++ b/test/fixtures/package.json
@@ -3,7 +3,7 @@
   "version": "0.0.0",
   "main": "server/app.js",
   "dependencies": {
-    "express": "~4.0.0",
+    "express": "~4.9.0",
     "morgan": "~1.0.0",
     "body-parser": "~1.5.0",
     "method-override": "~1.0.0",