fix(templates): add helmet middleware to Express backend templates

[Alisha-21-cloud]

Walkthrough: Securing Express APIs using Helmet

I've successfully implemented the changes outlined in (Issue #247) to secure the Express API templates scaffolded by Celtrix.

Changes Made

1. Template package.json Updates

All relevant template package.json files have been updated (or verified) to include helmet:

• Added/verified "helmet": "^8.1.0" in package.json for Express templates (e.g. mevn+tailwind+auth, mern/Ts-Backend).
• Removed the unnecessary "@types/helmet" from templates/mern/Ts-Backend/package.json, as helmet v8+ includes its own TypeScript types.
• For templates where package.json is generated dynamically by Celtrix (via npm init -y), verified that utils/installer.js and utils/customGenerators/backendGenerator.js already successfully inject helmet into the dependencies array.

2. Template Server Middleware Configuration

Added helmet to the top of the middleware stack for all Express-based server.js / server.ts / app.ts files inside the templates/ directory:

• templates/mern/server/server.js
• templates/mean/server/server.js
• templates/mevn/server/server.js
• templates/mean+tailwind+auth/server/server.js
• templates/mern+tailwind+auth/server/server.js
• templates/mevn+tailwind+auth/server/server.js
• templates/mevn+tailwind+auth/javascript/server/server.js
• templates/mevn+tailwind+auth/typescript/server/server.js

Important

In all these files, app.use(helmet()) has been correctly positioned as the very first middleware, before express.json() and cors(), ensuring HTTP headers are set immediately.

3. README Updates

Added a Security section to the existing backend README file (templates/mern/Ts-Backend/readme.md) briefly detailing the inclusion of Helmet and what it protects against.

Verification

You can verify the functionality by running a standard Celtrix scaffold for an Express-based stack and inspecting the API response headers:

curl -I http://localhost:5000/

Expected headers in the response:

• Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
• X-Frame-Options: SAMEORIGIN
• X-Content-Type-Options: nosniff
• Strict-Transport-Security: max-age=31536000; includeSubDomains
• X-Download-Options: noopen
• X-DNS-Prefetch-Control: off
• Referrer-Policy: no-referrer

(Note: It also successfully removes the default X-Powered-By: Express header to prevent information disclosure).

Closes #247

[Alisha-21-cloud]

@JoeCelaster I've opened a PR for Issue #247 — adding helmet middleware to all Express-based backend templates scaffolded by Celtrix.

Would love to get a review when you get the chance! Happy to make any changes based on your feedback.