How to use 3rd party libraries and inline scripts in nodejs app while helmet enabled
I was developing a nodejs app and implimented some security , I used helmet like this
app.use(helmet())
now browser does not allow me to use third party libraries and inline script . you can check image
So I found solution. see below
app.use(helmet({ contentSecurityPolicy: false}))
now everything solved . I want to know that why this happen how to use 3rd party libraries and inline scripts without the setting contentSecurityPolicy: false in helmet
I also found about we must include a manifest.json file in public folder and mention all third party libraries in it . how to impliment that ? thanks in advance 
Helmet maintainer here.
This is happening because of something called Content Security Policy, which Helmet sets by default. To solve your problem, you will need to configure Helmet's CSP.
MDN has a good documentation about CSP which I would recommend reading for background. After that, take a look at Helmet's README to see how to configure its CSP component.
In summary: to solve your problem, you will need to tell Helmet to configure your CSP.
- CSP style-src: 'unsafe-inline' - is it worth it?
- How to Fix "String as JavaScript" Errors in FLP? (Async Module Loading)
- Prevent svelte build from including inline script as it violates CSP
- insertBefore and appendChild in font awesome kit (version 5.15.4) causing csp issue only in Firefox Asp.Net Core
- Vite + Vue 3 built project Content-Security-Policy Error (CSP) 'script-src "self"' because of new Function constructor in built files
- Refused to load the script : Content-Security-Policy
- Jenkins Content Security Policy
- Does the Content Security Policy Standard support wildcard paths? If not, why doesn't it?
- What is the difference between CORS and CSPs?
- This document requires 'TrustedScriptURL' assignment
- Electron Content Security Policy error when connecting to my api
- Why are FQDN (ending with a dot) not working in CSP?
- How do I show video content when Content Security Policy is in place?
- Content security policy error when trying to frame Authorize.net hosted payment page
- Html Error: Refused to load the script because it violates the following Content Security Policy directive
- Unrecognized Content-Security-Policy directive 'script-src:'
- adding security headers in wso2am-4.0.0 (sts & csp & referer headers)
- Why would a REST API need a CSP?
- PyQt5: How to download icon for QWebEngineView?
- Stripe js script violates all the unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' and 'self' directives how it is possible?
- Content Security Policy: "img-src 'self' data:"
- Content Security Policy "data" not working for base64 Images in Chrome 28
- Refused to create a worker from 'blob:https://x/6a...293' because it violates the following Content Security Policy directive
- Content Security Policy - Determine source of blocked resource
- How to detect `eval` calls when addressing UI5 modules at runtime?
- Setup for Helmet and ReportURi?
- Content Security Policy not blocking the loading of third party javascript
- Refused to load the script because it violates the following Content Security Policy directive
- javascript click function causes Content Security Policy error
- CSP with NextJS 'Refused to execute inline script' in production