-
Notifications
You must be signed in to change notification settings - Fork 369
Setting legacy Content Security Policy headers in Helmet 4
Evan Hahn edited this page May 18, 2020
·
1 revision
In Helmet v3 and helmet-csp v2, there is a setAllHeaders option. This sets the modern Content-Security-Policy header and the legacy X-WebKit-CSP and X-Content-Security-Policy headers.
In Helmet 4, this option was removed. To achieve the same effect, add this middleware after you use Helmet:
// Make sure to use this AFTER you use Helmet's middleware.
app.use((req, res, next) => {
const csp = res.getHeader("Content-Security-Policy");
res.setHeader("X-WebKit-CSP", csp);
res.setHeader("X-Content-Security-Policy", csp);
next();
});You can customize it as needed. For example, you could remove support for the X-WebKit-CSP header.
If you are using Content-Security-Policy-Report-Only, you can do something very similar:
app.use((req, res, next) => {
const csp = res.getHeader("Content-Security-Policy-Report-Only");
res.setHeader("X-WebKit-CSP-Report-Only", csp);
res.setHeader("X-Content-Security-Policy-Report-Only", csp);
next();
});