Content Security Policy (CSP)

CSP ExpressJS Example

Here's how to add a Content-Security-Policy HTTP response header using Express.

Example CSP Header in Express JS

By using the Express API, we can use the set method of the Express Response object.

res.set("Content-Security-Policy", "default-src 'self'");

Your policy will go inside the second argument of the set method of the Express Response object.

Using Your Web Server

Instead of writing the header directly from your node js code, you can instead use your web server to write the header. For example CSP with nginx or CSP with Apache via htaccess.

Express Middleware for CSP

As we saw above it is quite simple to set the header yourself, but if you are looking for some additional features there are some express middleware modules that support CSP:

What goes inside a CSP policy?

If you're not sure what default-src 'self'; means, then check out the Content Security Policy reference for details.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.