Node.js is one of the software ecosystems richer out there, considering the number of packages available to integrate in your own projects.

Some of this packages are very useful and popular, like helmet, that helps to secure Express applications, among others, like cors and ddos.

How to use them in a standard Mantra application?

Given that Mantra web application relies on Express, you can use all its mecanisms, but in the right place.

Once all components are loaded, initialized (registering all their hooks), Mantra calls "onServerStarted" method if present in your Start() component object.

That method receives the application instance of Express, and that's the right place to add helmet or other security components, like in this snippet extracted from a real project:

async onServerStarted( app, Mantra ) {
    const config = MantraAPI.GetComponentConfig("yourcomponent");

    if ( areServicesEnabled(Mantra) && config.enablesecurity ) {
        const ddos = require("ddos");
        
        app.use( new ddos({burst: 50, limit: 200, expiry: 1, maxexpiry: 5 }).express );
        app.use( require("cors")() );
        app.use( require("helmet")() );
    }
}

function areServicesEnabled(Mantra) {
    return Mantra.IsServiceActive("view") || Mantra.IsServiceActive("post") || Mantra.IsServiceActive("get");
}

If you want to read more about methods called by Mantra when starting the project, read the official documentation.