TechQA.

how to disable Content Security Policy and stay secure?

8.4k views Asked by At

i want to disable the CSP - app.use(helmet.contentSecurityPolicy()) because it blocks any inline-scripts. the hash and nonce solutions (https://content-security-policy.com/examples/allow-inline-script/) are too much overkill for my app. is the xss-clean package or others solutions are enough to get a regular-moderate security?

thanks :)

javascript node.js security content-security-policy inline-scripting
Original Q&A
1

There are 1 answers

5
Randy Casburn On BEST ANSWER

You have complete control using the helmet middleware you mentioned.

The reference docs are clear about setting up your CSP.

Once set, you can always evaluate the strength your CSP with a validator such as this one.

From the docs:

If no directives are supplied, the following policy is set (whitespace added for readability):

default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests

You can set the policy when you load up 'helmet` by following the instructions in the documentation.

For example, here is an example configuration:

// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none';upgrade-insecure-requests"
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "example.com"],
      objectSrc: ["'none'"],
      upgradeInsecureRequests: [],
    },
  })
);

Related Questions in JAVASCRIPT

Related Questions in NODE.JS

Related Questions in SECURITY

Related Questions in CONTENT-SECURITY-POLICY

Related Questions in INLINE-SCRIPTING

Popular Questions

Trending Questions