CSP ExpressJS Example
Here's how to add a
Content-Security-Policy HTTP response header using Express.
Example CSP Header in Express JS
By using the Express API, we can use the
set method of the Express
res.set("Content-Security-Policy", "default-src 'self'");
Your policy will go inside the second argument of the
set method of the Express Response object.
Using Your Web Server
Instead of writing the header directly from your node js code, you can instead use your web server to write the header. For example CSP with nginx or CSP with Apache via htaccess.
Express Middleware for CSP
As we saw above it is quite simple to set the header yourself, but if you are looking for some additional features there are some express middleware modules that support CSP:
- HelmetJS - helps you set Content-Security-Policy along with a bunch of other security related headers.
- express-csp-header - express middleware for CSP.
What goes inside a CSP policy?
If you're not sure what
default-src 'self'; means, then check out the Content Security Policy reference for details.
CSP Developer Field Guide
Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.
Grab a Copy
Struggling to stay on top of security advisories?
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.