Implement helmet-csp on individual routes
This behavior is built into Express.
Express lets you specify multiple request handlers per route. Because csp
returns a route handler, you can add it before your route handler:
app.get('/frameable', csp({ directives: { frameSrc: ["'self'"] }}), (request, response) => { response.send('you can frame me!');});
If you prefer to split things out a bit, you could do something like this:
var normalCspHandler = csp({ directives: { frameSrc: ["'none'"] }});var frameSelfCspHandler = csp({ directives: { frameSrc: ["'self'"] }});app.use(normalCspHandler);app.get('/frameable', frameSelfCspHandler, (request, response) => { response.send('you can frame me!');});
(By the way, I maintain Helmet, so let me know if you have any feedback!)
A custom middleware is able to change headers, just add it after the use(csp)
app.use(function (req, res, next) { if (req.url == '/frameable') { res.set('Content-Security-Policy', 'frame-src \'self\''); } next();});
You can also chain middleware, since it is a function that returns a function:
app.use(function (req, res, next) { var middleware; if (req.url == '/frameable') { middleware = csp({ directives: { frameSrc: ["'self'"] } }); } else { middleware = csp({ directives: { frameSrc: ["'none'"] } }); } middleware(req, res, next);});