According to the Security Best Practices by Express, I implemented Helmet.
As I am using multiple middlewares (cookie-session, morgan, body-parser and various self-made middlewares for authentication), I'm now wondering in which order I should put them.
Is there a best practice guide for middlewares, their security and order?
In your case, I'd use helmet as the first middleware.
The most important reason for this is the HSTS handling. This will handle the bit where users are FORCED to use the HTTPS version of your site, instead of the plain HTTP one.
Not listing Helmet first on an HTTPS site could lead to some interesting vulnerabilities, because users could potentially start a transaction over HTTP, passing sensitive information to your webapp which can be used maliciously, THEN have their request later redirect to HTTPS via Helmet (not good).
This is an interesting question, and this should definitely be added to the Helmet docs.