Nesula
1.0.0
1.0.0
  • Introduction
  • Overview
    • First steps
    • Architecture
    • Authentication
    • Authorization
    • Routing
    • Meta
    • Mail
    • Security
      • Content Security Policy
    • Configuration
    • Service Worker
    • Logger
  • Development
    • Angular
    • NestJS
  • Nesula Devops
    • Nesula Setup
      • Files: Git
      • Database: Postgres
      • Server: Nginx
      • .Env & environment.ts
      • SSL
      • Build & Serve
    • Deployment
      • Deploy: Development
      • Deploy: Staging
      • Deploy: Production
    • Installation [ Old ]
  • Developer Setup
    • Visual Studio Code
      • Extensions
      • Run & Debug: Launch.json
      • Remote SSH
    • Chrome
    • Postman
  • Server Setup
    • Ubuntu Server Setup
      • Settings
      • Security
      • Users
    • App Server Setup
    • Node.js Hello World
    • Command Line
Powered by GitBook
On this page

Was this helpful?

  1. Overview
  2. Security

Content Security Policy

PreviousSecurityNextConfiguration

Last updated 3 years ago

Was this helpful?

Content Security Policy (CSP) values are set in response headers via helmet in NestJS.

CSP values set in <meta> in the Angular index.html will be ignored as they are overwritten by Helmet in the repsonse headers

Angular service worker requests require an additional CSP of 'connect-src *' these are configured in main.ts as below.

nest-api/src/main.ts
app.use(helmet.contentSecurityPolicy({
      useDefaults: true,
      directives: { /* Override CSP Defaults */
        ...
        connectSrc: [ '*' ],
        ...
      },
    })
  )

Service worker requests are treated differently and must be accomodated to not cause browser errors. See this blog article for more information:

Qubyte Codes - Content-Security-Policy and service workersqubyte
Logo