{"id":18412,"library":"helmet-csp","title":"helmet-csp","description":"Content Security Policy middleware for Express and Node.js. Version 4.0.0 requires Node >=18 and ships TypeScript definitions. It sets the Content-Security-Policy header using a directives object with support for camelCase or kebab-case keys, dynamic values via functions, and a default policy that can be overridden or disabled. Unlike generic CSP libraries, it integrates directly with the Helmet ecosystem and provides sensible defaults to prevent common vulnerabilities like XSS, though it performs minimal validation on the policy itself.","status":"active","version":"4.0.0","language":"javascript","source_language":"en","source_url":"git://github.com/helmetjs/helmet","tags":["javascript","express","security","content-security-policy","csp","xss","typescript"],"install":[{"cmd":"npm install helmet-csp","lang":"bash","label":"npm"},{"cmd":"yarn add helmet-csp","lang":"bash","label":"yarn"},{"cmd":"pnpm add helmet-csp","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package is CommonJS only; default export is a function. TypeScript users can use `import csp = require('helmet-csp')`.","wrong":"import csp from 'helmet-csp'","symbol":"default (contentSecurityPolicy)","correct":"const csp = require('helmet-csp')"},{"note":"The named export exists only as an alias to the default export. Same CommonJS restriction.","wrong":"import { contentSecurityPolicy } from 'helmet-csp'","symbol":"contentSecurityPolicy","correct":"const { contentSecurityPolicy } = require('helmet-csp')"},{"note":"Available as a named export, but CommonJS only. Returns the default directives object.","wrong":"import { getDefaultDirectives } from 'helmet-csp'","symbol":"getDefaultDirectives","correct":"const { getDefaultDirectives } = require('helmet-csp')"}],"quickstart":{"code":"const express = require('express');\nconst csp = require('helmet-csp');\nconst app = express();\n\napp.use(\n  csp({\n    directives: {\n      defaultSrc: [\"'self\"],\n      scriptSrc: [\"'self'\", \"'unsafe-inline'\", (req, res) => `'nonce-${res.locals.cspNonce}'`],\n      styleSrc: [\"'self'\", \"'unsafe-inline'\"],\n      imgSrc: [\"'self'\", 'data:', 'https:'],\n    },\n  })\n);\n\napp.get('/', (req, res) => {\n  res.locals.cspNonce = require('crypto').randomBytes(16).toString('hex');\n  res.send('<h1>Hello World</h1>');\n});\n\napp.listen(3000);","lang":"javascript","description":"Configures Express with Content Security Policy middleware using custom directives and dynamic nonce."},"warnings":[{"fix":"Install via npm install helmet-csp and import separately from helmet.","message":"In version 4.0.0, the package is no longer a submodule of helmet. It must be installed separately.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Upgrade Node to version 18 or higher.","message":"TypeScript types are now included but require Node >=18. Older Node versions will not work.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Validate your CSP policy with CSP Evaluator or similar before deploying.","message":"The package performs very little validation on CSP directives. Use external tools like CSP Evaluator.","severity":"gotcha","affected_versions":"*"},{"fix":"Ensure you explicitly define all required directives when disabling defaults, specially defaultSrc.","message":"Setting `useDefaults: false` disables the built-in defaults completely, which may create an insecure policy.","severity":"gotcha","affected_versions":"*"},{"fix":"Use the `report-uri` or `report-to` directives instead, or set the header manually.","message":"The `Content-Security-Policy-Report-Only` mode via `reportOnly: true` is deprecated in favor of using separate headers.","severity":"deprecated","affected_versions":">=4.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Run `npm install helmet-csp` and use `require('helmet-csp')`.","cause":"Package not installed or imported incorrectly.","error":"Error: Cannot find module 'helmet-csp'"},{"fix":"Use `const csp = require('helmet-csp');` and call `csp({...})`.","cause":"Wrong import style; must use default export with require.","error":"TypeError: contentSecurityPolicy is not a function"},{"fix":"Use valid directive names like `defaultSrc` (camelCase) or `default-src` (kebab-case).","cause":"Mixing camelCase and kebab-case or using unknown directive.","error":"Error: Invalid directive: 'default-src'"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}