Content Security Policy

HTTP header that controls which resources the browser is allowed to load. Primary defense against XSS attacks.

Syntax

environments-and-security
Content-Security-Policy: directive 'value' source;

Example

environments-and-security
// Strict CSP header
res.setHeader(
  "Content-Security-Policy",
  [
    "default-src 'self'",
    "script-src 'self' 'nonce-{RANDOM}'",
    "style-src 'self' 'unsafe-inline'",
    "img-src 'self' data: https:",
    "connect-src 'self' https://api.yourapp.com",
    "frame-ancestors 'none'",
    "upgrade-insecure-requests",
  ].join("; ")
);