1. 13
    Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express
    5m 30s

Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express

Mike Sherov
InstructorMike Sherov

Share this video with your friends

Send Tweet

In this lesson, we'll learn what CSP is and how it can be used to prevent inline scripts from being executed on our vulnerable website. First, we'll deploy CSP in "report only" mode, which will send violations to the endpoint you specify without blocking execution. Then, we'll run CSP in regular mode, which we'll use to completely block inline scripts from executing.

Cygni  E-learning
Cygni E-learning
~ a year ago

How do you prevent csurf to block this post? I added the route below the routeLogin and routeMessages part but then I get a 403 because of this part:

app.use(function(err, req, res, next) {
  if (err.code !== "EBADCSRFTOKEN") return next(err);

  // handle CSRF token errors here
  res.status(403).send("csrf detected");
});
Mike Sherov
Mike Sherovinstructor
~ a year ago

Hi Cygni,

Please make sure your CSP route is registered before the CSRF handler. That should fix it! Thanks.