Express: It a good idea add the helmet lib how default in the express?

Express doesn't really include anything out of the box, besides the absolute essentials. Express 3.x used to include a lot, but it got out-of-hand, especially when those modules didn't match the same support policies of Express itself.

Now, I'm not saying this applies to helmet, I would have to talk with the maintainer(s) to better understand, ideally they should be willing to support this as well. Just wanted to give some background, especially around the goal of Express 4 was specifically to _not_ include middlewares with Express.

If express goal is not include middlewares, include helmet sounds unnecessary, but would be nice to add helmet features on express core.

Which features? What would it take to add those features? We could maybe do so, but need to better understand what the ask is here.

Security should be a concept handled at design / architecture stage of an App / Service and not a package being added to core - please don‘t even consider adding it to core.

Please keep express minimalistic and free of opinionated middleware. I especially don’t like how helmet was written. The core concepts in helmet are good, but most of it is setting the correct response headers. Trivial stuff to rewrite.

If OP wants to include certain middleware into their app then encourage them to write their own opinionated app framwework on top of express.

Absolutely agree with previous comment! Please, don't pollute codebase with external plugins.

Definitely we don't need a big, bloated with 'middleware of someone choice' Express. Keep it minimal.

And leave links to all good middlewares in "best practices' (just like it is now). People will find it, learn it and use if them need it.

Another great reason to not include Helmet or other plugins is FOCUS. More developers will stay FOCUSED on the other repos and improve that code and that concept. Otherwise, Express becomes a webserver/security project when it should focus on being a webserver.