`Third-party middleware`

Integrating common third-party middleware like cors, helmet, and morgan.

Since Express 4 Spec ↗

Syntax

app.use(thirdPartyMiddleware([options]))

Parameters

Name	Type	Required	Description
`options`	`object`	No	Package-specific configuration passed to the middleware factory.

Returns

function — A middleware function mounted with app.use().

Examples

import helmet from 'helmet';
import cors from 'cors';
import morgan from 'morgan';

app.use(helmet());
app.use(cors({ origin: 'https://app.example.com' }));
app.use(morgan('combined'));

Output

::1 - - [15/May/2026] "GET / HTTP/1.1" 200

import rateLimit from 'express-rate-limit';

app.use(rateLimit({ windowMs: 60_000, limit: 100 }));

Output

(429 Too Many Requests when exceeded)

Notes

Order matters: put `helmet` (security headers) and `cors` early, logging like `morgan` near the top, and rate limiting before expensive routes. Most packages export a factory you call to get the middleware. Pin versions and review options for security defaults.