search

Content Security Policy

Content Security Policy (CSP) values are set in response headers via helmet in NestJS.

circle-exclamation

CSP values set in <meta> in the Angular index.html will be ignored as they are overwritten by Helmet in the repsonse headers

circle-info

Angular service worker requests require an additional CSP of 'connect-src *' these are configured in main.ts as below.

nest-api/src/main.ts
app.use(helmet.contentSecurityPolicy({
      useDefaults: true,
      directives: { /* Override CSP Defaults */
        ...
        connectSrc: [ '*' ],
        ...
      },
    })
  )

Service worker requests are treated differently and must be accomodated to not cause browser errors. See this blog article for more information:

LogoQubyte Codes - Content-Security-Policy and service workersqubyte.codeschevron-right
PreviousSecurityNextConfiguration

Last updated