React Router 7 Framework mode security features/libraries

[jayesh1126]

Is there a way to get the same security libraries/feature I would get implemented a custom Express server or Hono to make use of their different libraries for security ?
For example if I implemented my own custom Express server I would use Helmet for header security, express-rate-limiting for rate limiting.

What are my options if I don't want any customer server but want a secure full stack React Router 7 Framework mode application ?

[ahuaiqom]

Hi @jayesh1126 👋

In React Router 7 Framework mode, security lives in the adapter/platform layer.

If you run with an Express adapter, use normal middleware (Helmet, rate-limit).

If you deploy to serverless/edge (Vercel/Netlify/Cloudflare), set response headers in your handler and use the platform’s WAF/ratelimiting or a KV/Redis-based limiter. You don’t need a “custom server,” just minimal middleware before the request handler.

Try
Node/Express adapter (classic middleware)
// server.ts
import express from "express";
import helmet from "helmet";
import rateLimit from "express-rate-limit";
import { createRequestHandler } from "@react-router/express";

const app = express();

// Secure headers (CSP, HSTS, X-Frame-Options, etc.)
app.use(helmet());

// Simple rate limit (tune for your needs)
app.use(rateLimit({ windowMs: 60_000, max: 100 }));

// Hand off to React Router
app.all("*", createRequestHandler());

app.listen(3000);

This gives you Helmet, rate limiting, body-parsers, etc., like a custom server—while the app itself stays in Framework mode.

[jayesh1126]

Thanks for the reply !!! I think I got it :) in my middleware I handle security stuff as you said as well as rate limiting!