Javascript - CSP does not work as expected (it allows React SPA to load things when is set to 'none')

Ash
September 28, 2024
78 views
1 vote
2 Answers

I have a React SPA with only one request to my Node.js + express server with header "Content-Security-Policy" set to default-src ‘none’. Although it still loads everything. What am I doing wrong? P.S: incognito mode does not help, I use latest version of Chrome.

I’ve checked syntax adding it to tag and it worked but I want to be able to make my web app more secure via HTTP.

Answers

- OrazbekKadyrov
- September 26, 2024 at 6:46 pm
- 0 votes
0
The CSP header must be on the client. If you want to protect the server, use CORS headers.

Example:
Access-Control-Allow-Origin: http://localhost:5139

Login or Signup to reply.

- rhinosforhire
- September 28, 2024 at 11:08 pm
- 0 votes
0
The Content-Security-Policy header must be sent with the HTML Doc response.

In your screenshot, it looks like the HTML Doc response doesn’t have a Content-Security-Policy because your browser loaded the React app, which then fetched /ping.

Diagnosing your problem
1. In DevTools > Network, filter requests by the Doc type.
  - Here is your screenshot with the location of Doc circled in red.
2. Reload the page to capture the Doc response.
3. Does the Doc response have a Content-Security-Policy?
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Javascript – CSP does not work as expected (it allows React SPA to load things when is set to 'none')

Answers