Implement helmet-csp on individual routes

This behavior is built into Express.

Express lets you specify multiple request handlers per route. Because csp returns a route handler, you can add it before your route handler:

app.get('/frameable', csp({    directives: {        frameSrc: ["'self'"]    }}), (request, response) => {    response.send('you can frame me!');});

If you prefer to split things out a bit, you could do something like this:

var normalCspHandler = csp({    directives: {        frameSrc: ["'none'"]    }});var frameSelfCspHandler = csp({    directives: {        frameSrc: ["'self'"]    }});app.use(normalCspHandler);app.get('/frameable', frameSelfCspHandler, (request, response) => {    response.send('you can frame me!');});

(By the way, I maintain Helmet, so let me know if you have any feedback!)

A custom middleware is able to change headers, just add it after the use(csp)

app.use(function (req, res, next) {    if (req.url == '/frameable') {        res.set('Content-Security-Policy', 'frame-src \'self\'');    }    next();});

You can also chain middleware, since it is a function that returns a function:

app.use(function (req, res, next) {    var middleware;    if (req.url == '/frameable') {        middleware = csp({            directives: {                frameSrc: ["'self'"]            }        });    } else {        middleware = csp({            directives: {                frameSrc: ["'none'"]            }        });    }    middleware(req, res, next);});