Content Security Policy middleware

The Content-Security-Policy header mitigates a large number of attacks, such as [cross-site scripting][XSS]. See MDN's introductory article on Content Security Policy.

This header is powerful but likely requires some configuration for your specific app.

To configure this header, pass an object with a nested directives object. Each key is a directive name in camel case (such as defaultSrc) or kebab case (such as default-src). Each value is an array (or other iterable) of strings or functions for that directive. If a function appears in the array, it will be called with the request and response objects.

const contentSecurityPolicy = require("helmet-csp");

// Sets all of the defaults, but overrides `script-src`
// and disables the default `style-src`.
app.use(
  contentSecurityPolicy({
    directives: {
      "script-src": ["'self'", "example.com"],
      "style-src": null,
    },
  }),
);

// Sets the `script-src` directive to
// "'self' 'nonce-e33cc...'"
// (or similar)
app.use((req, res, next) => {
  res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
  next();
});
app.use(
  contentSecurityPolicy({
    directives: {
      scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
    },
  }),
);

These directives are merged into a default policy, which you can disable by setting useDefaults to false.

// Sets "Content-Security-Policy: default-src 'self';
// script-src 'self' example.com;object-src 'none';
// upgrade-insecure-requests"
app.use(
  contentSecurityPolicy({
    useDefaults: false,
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "example.com"],
      objectSrc: ["'none'"],
      upgradeInsecureRequests: [],
    },
  }),
);

You can get the default directives object with contentSecurityPolicy.getDefaultDirectives(). Here is the default policy (formatted for readability):

default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests

The default-src directive can be explicitly disabled by setting its value to contentSecurityPolicy.dangerouslyDisableDefaultSrc, but this is not recommended.

You can set the Content-Security-Policy-Report-Only instead:

// Sets the Content-Security-Policy-Report-Only header
app.use(
  contentSecurityPolicy({
    directives: {
      /* ... */
    },
    reportOnly: true,
  }),
);

This module performs very little validation on your CSP. You should rely on CSP checkers like CSP Evaluator instead.

Changelog

4.0.0 - 2024-06-01

Changed

• Breaking: useDefaults option now defaults to true
• Breaking: form-action directive is now set to 'self' by default
• Breaking: block-all-mixed-content is no longer set by default

Removed

• Breaking: Node 18+ is now required

3.4.0 - 2021-05-02

Added

• New useDefaults option, defaulting to false, lets you selectively override defaults more easily

3.3.1 - 2020-12-27

Fixed

• Broken TypeScript types. See #283

3.3.0 - 2020-12-27

Added

• Setting the default-src to contentSecurityPolicy.dangerouslyDisableDefaultSrc disables it

3.2.0 - 2020-11-01

Added

• Get the default directives with contentSecurityPolicy.getDefaultDirectives()

3.1.0 - 2020-08-15

Added

• Directive values can now include functions, as they could in Helmet 3. See #243

3.0.0 - 2020-08-02

Added

• If no default-src directive is supplied, an error is thrown
• Directive lists can be any iterable, not just arrays

Changed

• There is now a default set of directives if none are supplied
• Duplicate keys now throw an error. See helmetjs/csp#73
• This middleware is more lenient, allowing more directive names or values

Removed

• Removed browser sniffing (including the browserSniff parameter). See #97
• Removed conditional support. This includes directive functions and support for a function as the reportOnly. Read this if you need help.
• Removed a lot of checks—you should be checking your CSP with a different tool
• Removed support for legacy headers (and therefore the setAllHeaders parameter). Read this if you need help.
• Dropped support for old Node versions. Node 10+ is now required
• Removed the loose option
• Removed support for functions as directive values. You must supply an iterable of strings
• Removed the disableAndroid option

2.9.5 - 2020-02-22

Changed

• Updated bowser subdependency from 2.7.0 to 2.9.0

Fixed

• Fixed an issue some people were having when importing the bowser subdependency. See #96 and #101
• Fixed a link in the readme. See #100

2.9.4 - 2019-10-21

Changed

• Updated bowser subdependency from 2.6.1 to 2.7.0. See #94

2.9.3 - 2019-09-30

Fixed

• Published a missing TypeScript type definition file. See #90

2.9.2 - 2019-09-20

Fixed

• Fixed a bug where a request from Firefox 4 could delete default-src from future responses
• Fixed tablet PC detection by updating bowser subdependency to latest version

2.9.1 - 2019-09-04

Changed

• Updated bowser subdependency from 2.5.3 to 2.5.4. See #88

Fixed

• The "security" keyword was declared twice in package metadata. See #87

2.9.0 - 2019-08-28

Added

• Added TypeScript type definitions. See #86

Fixed

• Switched from platform to bowser to quiet a security vulnerability warning. See #80

2.8.0 - 2019-07-24

Added

• Added a new sandbox directive, allow-downloads-without-user-activation (see #85)
• Created a changelog
• Added some package metadata

Changed

• Updated documentation to use ES2015
• Updated documentation to remove dependency on UUID package
• Updated content-security-policy-builder to 2.1.0
• Excluded some files from the npm package

Changes in versions 2.7.1 and below can be found in Helmet's changelog.