i want to disable the CSP - app.use(helmet.contentSecurityPolicy()) because it blocks any inline-scripts. the hash and nonce solutions (https://content-security-policy.com/examples/allow-inline-script/) are too much overkill for my app.
is the xss-clean package or others solutions are enough to get a regular-moderate security?
thanks :)
You have complete control using the helmet middleware you mentioned.
The reference docs are clear about setting up your CSP.
Once set, you can always evaluate the strength your CSP with a validator such as this one.
From the docs:
If no directives are supplied, the following policy is set (whitespace added for readability):
default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
You can set the policy when you load up 'helmet` by following the instructions in the documentation.
For example, here is an example configuration:
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none';upgrade-insecure-requests"
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
})
);