Hey there, I am looking to add a request header of Content-Security-Policy-Report-Only
and Content-Security-Policy
across the site in preparation for an upcoming security scan. In looking at the XDN documentation, I see we can add at a route level. Is there any way to define global headers to the build?
Thanks
See https://developer.moovweb.com/guides/security#section_content_security_policy__csp_
You can easily add CSP headers to your site via a catch-all route near the top of your router.
To enforce a content security policy:
new Router().match('/:path*', ({ setResponseHeader }) => {
setResponseHeader(
'Content-Security-Policy',
"default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi",
)
})
To enable a content security policy in report-only mode:
new Router().match('/:path*', ({ setResponseHeader }) => {
setResponseHeader(
'Content-Security-Policy-Report-Only',
"default-src 'self'"
)
})