nodeJS - where exactly can I put the Content Security Policy

Question

I don\'t know where to apply the Content Security Policy (CSP) snippet below in my code;

Content-Security-Policy: script-src \'self\' https://apis.google.com         


        

Answer 1

For a node.js application without using any external framework e.g. express:

const http = require('http');

http.createServer((request, response) => {

    request.on('error', (err) => {
        console.error(err);

    // for this simple example I am not including the data event
    // e.g. if the request contains data in the body

    }).on('end', () => {

       response.on('error', (err) => {
           console.error(err);
       });

      // you can set your headers with setHeader or 
      // use writeHead as a "shortcut" to include the statusCode. 
      // Note writeHead won't cache results internally
      // and if used in conjuction with setHeader will take some sort of "precedence"

      response.writeHead(200, {
          "Content-Security-Policy": "default-src 'self'"

           // other security headers here...
      });

      response.end("
Hello, Security Headers!
");

  });
}).listen(8080);

See the node.js documentation for more details on setting headers on the response object