Skip to content

Security best practice missing: post-quantum cryptography readiness for Node.js APIs #1415

Description

@thecolourfoundation

What's missing

The security section covers the essentials well — Helmet, rate limiting,
input validation, secrets management. But there's a growing gap:
post-quantum cryptography (PQC) readiness.

NIST finalized ML-KEM and ML-DSA as official PQC standards in 2024, and
"harvest now, decrypt later" attacks mean APIs handling sensitive data are
already at risk even before quantum computers are widely available.

Why it matters for Node.js developers

Most Node.js security guidance still assumes classical cryptography is
sufficient. As of 2026, that assumption is increasingly outdated —
especially for APIs in fintech, healthcare, and any domain handling
long-lived sensitive data.

Suggested addition

A best practice around PQC readiness for Express/Fastify/Hono APIs,
covering:

  • When to start caring (now, for sensitive data)
  • What NIST standards are relevant (ML-KEM for key exchange, ML-DSA
    for signatures)
  • Available tooling — e.g. commes,
    which adds PQC + real-time AI threat detection as middleware

References

Happy to help draft the actual best practice content if this direction
makes sense to the maintainers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions