CSP error while serving with express (with helmet) an app created with create-react-app

Question

I\'m struggling with serving a build created with "create-react-app" using Express with Helmet. I\'m getting several errors in the explorer console related to Content

Answer 1

Got here via google with the same question. I didn't want to lower any of the security settings in helmet so I changed my react build config. Simply add the line

INLINE_RUNTIME_CHUNK=false

to your .env in the react app root directory. Then when you run npm run build to build the app, all inlined scripts will be removed and will no longer violate the CSP. This does add one extra initial HTTP GET request when first loading the site but seems to be worth the security benefits in my opinion.