Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express

Share this video with your friends

Send Tweet

In this lesson, we'll learn what CSP is and how it can be used to prevent inline scripts from being executed on our vulnerable website. First, we'll deploy CSP in "report only" mode, which will send violations to the endpoint you specify without blocking execution. Then, we'll run CSP in regular mode, which we'll use to completely block inline scripts from executing.

Cygni  E-learning
Cygni E-learning
~ 4 years ago

How do you prevent csurf to block this post? I added the route below the routeLogin and routeMessages part but then I get a 403 because of this part:

app.use(function(err, req, res, next) {
  if (err.code !== "EBADCSRFTOKEN") return next(err);

  // handle CSRF token errors here
  res.status(403).send("csrf detected");
});
Mike Sherov
Mike Sherov(instructor)
~ 4 years ago

Hi Cygni,

Please make sure your CSP route is registered before the CSRF handler. That should fix it! Thanks.