In this lesson, we'll learn what CSP is and how it can be used to prevent inline scripts from being executed on our vulnerable website. First, we'll deploy CSP in "report only" mode, which will send violations to the endpoint you specify without blocking execution. Then, we'll run CSP in regular mode, which we'll use to completely block inline scripts from executing.
How do you prevent csurf
to block this post? I added the route below the routeLogin
and routeMessages
part but then I get a 403 because of this part:
app.use(function(err, req, res, next) {
if (err.code !== "EBADCSRFTOKEN") return next(err);
// handle CSRF token errors here
res.status(403).send("csrf detected");
});
Hi Cygni,
Please make sure your CSP route is registered before the CSRF handler. That should fix it! Thanks.