I have built my first express app after reading documentation and watching many tutorials. I want to run it with Firebase Http Function. Express docs are recommending Helmet middleware for security reasons and I can see why. There are no examples using it with Firebase (at least I can't find).
So my question is should we use Helmet middleware with Firebase Http functions? Is it recommended?
Using Express app is not mandatory with Firebase Functions and all the traffic is going through Google servers so I think it is not necessary as Google is taking care of the security issues Helmet should but I am not sure. There is no information about it in Firebase docs.
Helmet is just a collection of 13 smaller middleware (see Helmet's docs for the full list—that number may change in the future). Each of these set one or more HTTP response headers related to security. Some of this stuff is only applicable in browsers (such as the ieNoOpen middleware) while others can be used outside of a browser context.
If these headers would improve the security of whatever user-agent makes HTTP requests to your Firebase, you should use Helmet.