Skip to content Skip to sidebar Skip to footer
Home / Content Security Policy / Express / Helmet.js / Javascript

How Do I Set Up Helmet.js Correctly To Resolve Csp Issue?

Post a Comment
When I start my express app the browser gives me this error: Refused to load the script 'http://localhost:1337/main.js' because it violates the following Content Security Policy di

Solution 1:

Helmet maintainer here. This is happening because your directives need to be nested under a directives property.

For example:

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: scriptSources,
      // ...
    },
  })
)

Solution 2:

Ok so I managed to get it working correctly. Helmet is allowing me to set my CSP this way:

app.use(
  helmet.contentSecurityPolicy({
    defaultSrc: ["'self'"],
    scriptSrc: scriptSources,
    scriptSrcElem: scriptSources,
    styleSrc: styleSources,
    connectSrc: connectSources,
    reportUri: '/report-violation',
    reportOnly: false,
    safari5: false  
  })
);

So my main.js file is a vue app and I had it written like this before:

import * asVuefrom'./src/vue.esm-browser.js';

constApp = Vue.createApp({
  data() {
    return {
      slug,
      url
    }
  },
  methods: {
    createUrl() {
      console.log(this.slug, this.url);
    }
  }
}).mount('#app');

I rewrote the code like this:

import { createApp, ref } from'./src/vue.esm-browser.js';

const slug = ref('');
const url = ref('');

createApp({
 setup() {
   constcreateUrl = () => {
     console.log(slug.value, url.value);
   };

   return {
     slug,
     url,
     createUrl
   };
 }
}).mount('#app');

and in my html file is was able to call createUrl without invoking it.

Post a Comment for "How Do I Set Up Helmet.js Correctly To Resolve Csp Issue?"