How to set nonce in helmet >4.0? #240
Comments
|
.. apparently by picking and forwarding the context manually server.use((req, res, next) =>
helmet.contentSecurityPolicy({
directives: {
...
scriptSrc: [
`'nonce-${res.locals.nonce}'`,
"'strict-dynamic'",
...
],
},
})(req, res, next)) |
|
I don't like this. Also, this should have been mentioned in the changelog. |
|
@mercteil That's exactly right. Here's a wiki page describing how to do that in more detail. @einfallstoll Good point. I've added it to the changelog in c01ad1e. This has made me realize that I need to create a migration guide. See #241 to track this. I'm going to close this issue because I think this has been resolved, but if folks really want this feature, we can discuss adding it back. |
|
Agreed that this was pretty handy and simpler than the current solution. I haven't updated to helmet 4.0.0 due to this issue, so if it's not too much work, I'd like the ability to use functions back too 🙂 |
|
This issue has been troublesome for a lot of people and I'm going to re-add the behavior to Helmet, likely in version 4.1.0. See #243 to follow my progress. |
|
This feature will be added to Helmet version 4.1.0. You can try it out today with |
In version 3 I could set nonce from
res.localslike this:... scriptSrc: [ (req, res) => `'nonce-${res.locals.nonce}'`, "'strict-dynamic'", ...In 4.0 I get an error when providing a function for setting nonce:
Error: Content-Security-Policy received an invalid directive value for "script-src"So the question is how to set nonce in helmet 4.0 ?
The text was updated successfully, but these errors were encountered: