Couple of things on that.
First, its introduction would probably be a breaking change so would have to wait until the next major version.
Second, it adds yet more complexity to Node-RED in an area that - in my personal view - should be dealt with externally. Where do you stop with security changes? A node.js app is - again in my personal view - not really that good a place to be cramming in security. That is far better done externally, via a reverse proxy for example. I have always been clear on my stance over that. I don't personally recommend using Node-RED's authentication for example. This is born out of my long experience in cyber security.
And as a final point, I don't think you actually need Helmet - the headers can easily be included without it. In fact, Node-RED already has the capability to add your own middleware.
So my own opinion, for what it is worth, is that this would be better covered by some security guidance documentation.
With the guidance including:
- Use a good 3rd-party external security solution such as Cloudflare Zero Trust if you don't have security expertise on hand.
- Otherwise, use security in depth and using specialist, battle-hardened security tooling (e.g. via a reverse proxy)
- With some further guidance on what security headers people should be using
- And, as a last resort, how to implement helmet and/or good ExpressJS security settings in Node-RED itself.
