What's missing
The security section covers the essentials well — Helmet, rate limiting,
input validation, secrets management. But there's a growing gap:
post-quantum cryptography (PQC) readiness.
NIST finalized ML-KEM and ML-DSA as official PQC standards in 2024, and
"harvest now, decrypt later" attacks mean APIs handling sensitive data are
already at risk even before quantum computers are widely available.
Why it matters for Node.js developers
Most Node.js security guidance still assumes classical cryptography is
sufficient. As of 2026, that assumption is increasingly outdated —
especially for APIs in fintech, healthcare, and any domain handling
long-lived sensitive data.
Suggested addition
A best practice around PQC readiness for Express/Fastify/Hono APIs,
covering:
- When to start caring (now, for sensitive data)
- What NIST standards are relevant (ML-KEM for key exchange, ML-DSA
for signatures)
- Available tooling — e.g. commes,
which adds PQC + real-time AI threat detection as middleware
References
Happy to help draft the actual best practice content if this direction
makes sense to the maintainers.
What's missing
The security section covers the essentials well — Helmet, rate limiting,
input validation, secrets management. But there's a growing gap:
post-quantum cryptography (PQC) readiness.
NIST finalized ML-KEM and ML-DSA as official PQC standards in 2024, and
"harvest now, decrypt later" attacks mean APIs handling sensitive data are
already at risk even before quantum computers are widely available.
Why it matters for Node.js developers
Most Node.js security guidance still assumes classical cryptography is
sufficient. As of 2026, that assumption is increasingly outdated —
especially for APIs in fintech, healthcare, and any domain handling
long-lived sensitive data.
Suggested addition
A best practice around PQC readiness for Express/Fastify/Hono APIs,
covering:
for signatures)
which adds PQC + real-time AI threat detection as middleware
References
Happy to help draft the actual best practice content if this direction
makes sense to the maintainers.