Content Security Policy
HTTP header that controls which resources the browser is allowed to load. Primary defense against XSS attacks.
Syntax
environments-and-security
Content-Security-Policy: directive 'value' source;Example
environments-and-security
// Strict CSP header
res.setHeader(
"Content-Security-Policy",
[
"default-src 'self'",
"script-src 'self' 'nonce-{RANDOM}'",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"connect-src 'self' https://api.yourapp.com",
"frame-ancestors 'none'",
"upgrade-insecure-requests",
].join("; ")
);