Hey guys. I was told it was best to pose my question here.

I currently have an node express app behind an nginx load balancer.

I am curious to know what the nginx team recommends when it comes to setting security policies such as CSP, CSRF, and HSTS? Should they be configured within my express.js application? Or is it best practice to configure them in nginx?