nodeJS - where exactly can I put the Content Security Policy

javascript html node.js content-security-policy
user2520410 picture user2520410 · Jan 10, 2014 · Viewed 23.5k times · Source

I don't know where to apply the Content Security Policy (CSP) snippet below in my code;

Content-Security-Policy: script-src 'self' https://apis.google.com

Should it be in the HTML?

Will it be best implemented in JavaScript as in the code snippet below?

var policy = "default-src 'self'";
http.createServer(function (req, res) {
    res.writeHead(200, {
        'Content-Security-Policy': policy
    });
});

Answer

Juan Manuel Arias picture Juan Manuel Arias · May 29, 2014

You just need to set it in the HTTP Header, not the HTML. This is a working example with express 4 with a static server:

var express = require('express');
var app = express();


app.use(function(req, res, next) {
    res.setHeader("Content-Security-Policy", "script-src 'self' https://apis.google.com");
    return next();
});

app.use(express.static(__dirname + '/'));

app.listen(process.env.PORT || 3000);

If you want more information about CSP, this is an excelent article: http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Hope that helps!

Related questions

Render basic HTML view?

I have a basic node.js app that I am trying to get off the ground using Express framework. I have a views folder where I have an index.html file. But I receive the following error when loading the …

Read More
Connecting to TCP Socket from browser using javascript

I have a vb.net application that opens a socket and listens on it. I need to communicate via this socket to that application using a javascript running on a browser. That is i need to send some data on …

Read More
Connecting client to server using Socket.io

I'm relatively new to node.js and it's addons, so this is probably a beginnersquestion. I'm trying to get a simple HTML page on a webserver connect to a different server running node.js with websocket.io. My code looks …

Read More