1. 13
    Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express
    5m 30s

Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express

InstructorMike Sherov

Share this video with your friends

Send Tweet

In this lesson, we'll learn what CSP is and how it can be used to prevent inline scripts from being executed on our vulnerable website. First, we'll deploy CSP in "report only" mode, which will send violations to the endpoint you specify without blocking execution. Then, we'll run CSP in regular mode, which we'll use to completely block inline scripts from executing.

Cygni E-learning
~ 4 years ago

How do you prevent csurf to block this post? I added the route below the routeLogin and routeMessages part but then I get a 403 because of this part:

app.use(function(err, req, res, next) {
  if (err.code !== "EBADCSRFTOKEN") return next(err);

  // handle CSRF token errors here
  res.status(403).send("csrf detected");
});
Mike Sherovinstructor
~ 4 years ago

Hi Cygni,

Please make sure your CSP route is registered before the CSRF handler. That should fix it! Thanks.