nodeJS - where exactly can I put the Content Security Policy
You just need to set it in the HTTP Header, not the HTML. This is a working example with express 4 with a static server:
var express = require('express');var app = express();app.use(function(req, res, next) { res.setHeader("Content-Security-Policy", "script-src 'self' https://apis.google.com"); return next();});app.use(express.static(__dirname + '/'));app.listen(process.env.PORT || 3000);
If you want more information about CSP, this is an excelent article: http://www.html5rocks.com/en/tutorials/security/content-security-policy/
Hope that helps!
For a node.js
application without using any external framework e.g. express
:
const http = require('http');http.createServer((request, response) => { request.on('error', (err) => { console.error(err); // for this simple example I am not including the data event // e.g. if the request contains data in the body }).on('end', () => { response.on('error', (err) => { console.error(err); }); // you can set your headers with setHeader or // use writeHead as a "shortcut" to include the statusCode. // Note writeHead won't cache results internally // and if used in conjuction with setHeader will take some sort of "precedence" response.writeHead(200, { "Content-Security-Policy": "default-src 'self'" // other security headers here... }); response.end("<html><body><h1>Hello, Security Headers!</h1></body></html>"); });}).listen(8080);
See the node.js documentation for more details on setting headers on the response object
If you are using Express, I suggest taking a look at helmet. In addition to increased options & flexibility (handling CSP violations, nonces...etc), there are a lot of inconsistencies in how browsers implement CSP. Helmet looks at the user-agent of the browser and sets the appropriate header and value for that browser. If no user-agent is matched, it will set all the headers with the 2.0 spec.
// Make sure you run "npm install helmet-csp" to get the csp package.const csp = require('helmet-csp')app.use(csp({ directives: { defaultSrc: ["'self'"], styleSrc: ["'self'", 'maxcdn.bootstrapcdn.com'] }}))