it's purely function composition, so you can technically do whatever you want. 😉 .
There are several options really - you can apply filters individually to each HttpHandler before putting them into the routes block, or just group the routes by which security you want to apply and then compose them. Or you could write a filter which applied another filter depending on the path.