Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express
In this lesson, we'll learn what CSP is and how it can be used to prevent inline scripts from being executed on our vulnerable website. First, we'll deploy CSP in "report only" mode, which will send violations to the endpoint you specify without blocking execution. Then, we'll run CSP in regular mode, which we'll use to completely block inline scripts from executing.
Cygni E-learning
~ 4 years ago
How do you prevent csurf to block this post? I added the route below the routeLogin and routeMessages part but then I get a 403 because of this part:
app.use(function(err, req, res, next) {
if (err.code !== "EBADCSRFTOKEN") return next(err);
// handle CSRF token errors here
res.status(403).send("csrf detected");
});Mike Sherovinstructor
~ 4 years ago
Hi Cygni,
Please make sure your CSP route is registered before the CSRF handler. That should fix it! Thanks.