Integration with Content Security Policy

1 min read Web Security Fundamentals

Integration with Content Security Policy

X-Content-Type-Options works synergistically with CSP:

app.use((req, res, next) => {
    // Defense in depth approach
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('Content-Security-Policy', 
        "default-src 'self'; " +
        "script-src 'self' 'nonce-${nonce}'; " +
        "style-src 'self' 'unsafe-inline'; " +
        "object-src 'none'"
    );
    next();
});