Helmet middleware adds security headers - express-validator provides input validation - express-rate-limit prevents brute force - csurf provides CSRF protection