-
Notifications
You must be signed in to change notification settings - Fork 371
Setting legacy Content Security Policy headers in Helmet 4
Evan Hahn edited this page May 18, 2020
·
1 revision
In Helmet v3 and helmet-csp
v2, there is a setAllHeaders
option. This sets the modern Content-Security-Policy
header and the legacy X-WebKit-CSP
and X-Content-Security-Policy
headers.
In Helmet 4, this option was removed. To achieve the same effect, add this middleware after you use Helmet:
// Make sure to use this AFTER you use Helmet's middleware.
app.use((req, res, next) => {
const csp = res.getHeader("Content-Security-Policy");
res.setHeader("X-WebKit-CSP", csp);
res.setHeader("X-Content-Security-Policy", csp);
next();
});
You can customize it as needed. For example, you could remove support for the X-WebKit-CSP
header.
If you are using Content-Security-Policy-Report-Only
, you can do something very similar:
app.use((req, res, next) => {
const csp = res.getHeader("Content-Security-Policy-Report-Only");
res.setHeader("X-WebKit-CSP-Report-Only", csp);
res.setHeader("X-Content-Security-Policy-Report-Only", csp);
next();
});