Dynamic Content Security Policy (CSP) Update with Helmet

[siirius99]

We are using Angular as the frontend and Node.js as the backend, both served on the same port. Helmet is being used to manage security headers, with a global configuration for most routes, and a specific configuration for one route where Content-Security-Policy (CSP) headers are dynamically set based on frame source URLs that are fetched from the database.

The problem arises when the frame source URLs in the database are updated. These updates do not reflect in the application until the app is manually refreshed, causing a break in functionality for any new URLs added to the frameSrc directive.

this.app.use('/route', (request, response, next) => { const frameSourceUrls = [myUrlsFromDatabase]; contentSecurityPolicy({ useDefaults: false, directives: { ...commonCSP, frameSrc: frameSourceUrls }, reportOnly: false })(request, response, next); }); Is there any way to solve it?

[EvanHahn]

Hmm, that's surprising. I would expect that to work just fine. Could you create a sample app that reproduces this problem?