Content Security Policy (CSP)
Examples
CSP ExpressJS Example
Content-Security-Policy HTTP response header using Express.Example CSP Header in Express JS
By using the Express API, we can use the set method of the Express Response object.
res.set("Content-Security-Policy", "default-src 'self'");
Your policy will go inside the second argument of the set method of the Express Response object.
Using Your Web Server
Instead of writing the header directly from your node js code, you can instead use your web server to write the header. For example CSP with nginx or CSP with Apache via htaccess.
Express Middleware for CSP
As we saw above it is quite simple to set the header yourself, but if you are looking for some additional features there are some express middleware modules that support CSP:
- HelmetJS - helps you set Content-Security-Policy along with a bunch of other security related headers.
- express-csp-header - express middleware for CSP.
What goes inside a CSP policy?
If you're not sure what default-src 'self'; means, then check out the Content Security Policy reference for details.
CSP Developer Field Guide
Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.
Grab a CopyStruggling to stay on top of security advisories?
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.