Integration with Other Security Headers

1 min read Web Security Fundamentals

Integration with Other Security Headers

// Comprehensive security header implementation
app.use((req, res, next) => {
    // Referrer policy as part of defense in depth
    res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('X-Frame-Options', 'SAMEORIGIN');
    res.setHeader('X-XSS-Protection', '0'); // Disabled in favor of CSP
    res.setHeader('Content-Security-Policy', 
        "default-src 'self'; " +
        "script-src 'self' 'nonce-" + res.locals.nonce + "'; " +
        "style-src 'self' 'unsafe-inline'"
    );
    
    next();
});