Fix Missing Security Headers on Express

Express serves API and SSR apps without security headers until you add them. The helmet package centralizes modern defaults and lets you override each middleware for CSP, HSTS length, and cross-origin policies.

Mount helmet() early in the chain so every route inherits the baseline; tighten contentSecurityPolicy directives when you drop inline scripts. For APIs, disable framing and lock down crossOriginEmbedderPolicy only if your clients require it.