You could get some mileage that way for some of the more trivial stuff, but stuff like user authorization (not authentication, authorization) tends to call for deeper integration into what is probably a framework. (Creating a you-call-me library would probably make it too easy to accidentally bypass the security, vs. an I-call-you framework that is guaranteed to go through the secure code path before and after your code.)
Still, if there was a standard for middleware in general you probably could at least get all the headers right and provide some sort of safe, general CSRF, session, and authentication (not authorization) framework that way. Unfortunately, the easiest places to stick a generalized middleware, which is probably an nginx module, also tend to lack any sort of backend storage, which is a problem.
Whether or not you could sell anyone on the benefits of that would be an interesting question. Getting any sort of XSS protection would involve essentially putting a full Web Application Firewall in front, for instance, which would be infeasible with any reasonable effort, and I'm not sure anyone's going to look twice at a "web security platform" that does little to nothing (effective) against XSS.
Still, if there was a standard for middleware in general you probably could at least get all the headers right and provide some sort of safe, general CSRF, session, and authentication (not authorization) framework that way. Unfortunately, the easiest places to stick a generalized middleware, which is probably an nginx module, also tend to lack any sort of backend storage, which is a problem.
Whether or not you could sell anyone on the benefits of that would be an interesting question. Getting any sort of XSS protection would involve essentially putting a full Web Application Firewall in front, for instance, which would be infeasible with any reasonable effort, and I'm not sure anyone's going to look twice at a "web security platform" that does little to nothing (effective) against XSS.