Skip to content

Setting legacy Content Security Policy headers in Helmet 4

Evan Hahn edited this page May 18, 2020 · 2 revisions

In Helmet v3 and helmet-csp v2, there is a setAllHeaders option. This sets the modern Content-Security-Policy header and the legacy X-WebKit-CSP and X-Content-Security-Policy headers.

In Helmet 4, this option was removed. To achieve the same effect, add this middleware after you use Helmet:

// Make sure to use this AFTER you use Helmet's middleware.
app.use((req, res, next) => {
  const csp = res.getHeader("Content-Security-Policy");
  res.setHeader("X-WebKit-CSP", csp);
  res.setHeader("X-Content-Security-Policy", csp);

You can customize it as needed. For example, you could remove support for the X-WebKit-CSP header.

If you are using Content-Security-Policy-Report-Only, you can do something very similar:

app.use((req, res, next) => {
  const csp = res.getHeader("Content-Security-Policy-Report-Only");
  res.setHeader("X-WebKit-CSP-Report-Only", csp);
  res.setHeader("X-Content-Security-Policy-Report-Only", csp);