Search code examples

Implement helmet-csp on individual routes

I'm creating a sample Express app to demonstrate Content-Security-Policy (CSP) headers and am trying to use helmet-csp.

All of the documentation for helmet-csp shows it used as standard third-party-middleware via app.use(csp({ ... })) - this adds the CSP headers to every route in my application, but I want to customize it on individual routes.

Sample App

var express = require('express');
var http = require('http');
var csp = require('helmet-csp');
var app = express();

    directives: {
        frameSrc: ["'none'"]

app.get('/', (request, response) => {
    response.send('hi, :wave: =]');

app.get('/frameable', (request, response) => {
    response.send('you can frame me!');

http.createServer(app).listen(80, (err) => {
    if (err) {
        return console.log('error', err);

With the above, every route receives the CSP header:

Content-Security-Policy: frame-src 'none'

In the /frameable route, I would want to override this CSP header to be:

Content-Security-Policy: frame-src 'self'

Whenever I need/want to customize a header set by helmet-csp on a per-route basis, do I need to manually override them inside each app.get with a line such as:

response.setHeader('Content-Security-Policy', "frame-src 'self'");

Or is there a way to do this via helmet-csp itself?


  • A custom middleware is able to change headers, just add it after the use(csp)

    app.use(function (req, res, next) {
        if (req.url == '/frameable') {
            res.set('Content-Security-Policy', 'frame-src \'self\'');

    You can also chain middleware, since it is a function that returns a function:

    app.use(function (req, res, next) {
        var middleware;
        if (req.url == '/frameable') {
            middleware = csp({
                directives: {
                    frameSrc: ["'self'"]
        } else {
            middleware = csp({
                directives: {
                    frameSrc: ["'none'"]
        middleware(req, res, next);