nodeJS - where exactly can I put the Content Security Policy
问题 I don't know where to apply the Content Security Policy (CSP) snippet below in my code; Content-Security-Policy: script-src 'self' https://apis.google.com Should it be in the HTML? Will it be best implemented in JavaScript as in the code snippet below? var policy = "default-src 'self'"; http.createServer(function (req, res) { res.writeHead(200, { 'Content-Security-Policy': policy }); }); 回答1: You just need to set it in the HTTP Header, not the HTML. This is a working example with express 4