Multiple CSP headers

Question

Multiple CSP headers

lode opened this issue 2 years ago · comments

Is it possible to send out multiple CSP headers? (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies)

When doing multiple app.use(contentSecurityPolicy({...})) calls only the last one seems to be used.

When changing reportOnly for each of the calls, it does send out different headers. But this seems logical since the header-key is actually changing.

Evan Hahn · Answer 1 · Mon Oct 03 2022 23:57:51 GMT+0800 (China Standard Time)

No, this is not supported.

You can achieve this by setting the header yourself:

res.setHeader("Content-Security-Policy", [
  "default-src 'self' http://example.com; connect-src 'none';",
  "connect-src http://example.com/; script-src http://example.com/",
]);

Does that help?

Lode Claassen · Answer 2 · Tue Oct 04 2022 04:51:33 GMT+0800 (China Standard Time)

Yes, I understand.

For my use case right now (multiple report-uris) I found it is also possible to pass an array to report-uri. I didn't know that syntax, but it seems to work fine.

But if it won't, I'll be able to set the header manually. Tnx!

Evan Hahn · Answer 3 · Tue Oct 04 2022 07:50:34 GMT+0800 (China Standard Time)

Great! I'm going to close this issue because I think your problem is resolved, but let me know if that's wrong.