Content Security Policy middleware
Content Security Policy helps prevent unwanted content being injected into your webpages. This can mitigate cross-site scripting (XSS) vulnerabilities, malicious frames, unwanted trackers, and much more.
This middleware helps set Content Security Policies.
const contentSecurityPolicy = ;app;
To get the defaults, use
You can set any directives you wish.
defaultSrc is required. Directives can be kebab-cased (like
script-src) or camel-cased (like
scriptSrc). They are equivalent, but duplicates are not allowed.
reportOnly option, if set to
true, sets the
Content-Security-Policy-Report-Only header instead.
This middleware does minimal validation. You should use a more sophisticated CSP validator, like Google's CSP Evaluator, to make sure your CSP looks good.
Recipe: generating nonces
You can dynamically generate nonces to allow inline
<script> tags to be safely evaluated. Here's a simple example:
const crypto = ;app;app;app;