Content Security Policy (CSP)

CSP ExpressJS Example

Here's how to add a Content-Security-Policy HTTP response header using Express.

Example CSP Header with Java

By using the Express API, we can use the set method of the Express Response object.

res.set("Content-Security-Policy", "default-src 'self'");

Your policy will go inside the second argument of the set method of the Express Response object.

Using Your Web Server

Instead of writing the header directly from your node js code, you can instead use your web server to write the header. For example CSP with nginx or CSP with Apache via htaccess.

Express Middleware for CSP

As we saw above it is quite simple to set the header yourself, but if you are looking for some additional features there are some express middleware modules that support CSP:

What goes inside a CSP policy?

If you're not sure what default-src 'self'; means, then check out the Content Security Policy reference for details.