Document how to set both CSP and CSP-Report-Only headers

See [#351][0]. [0]: #351
helmetjs · Apr 1, 2022 · 7848f5a · 7848f5a
1 parent 68db79c
commit 7848f5a
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Added
+
+- Documented how to set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only`
+
 ### Changed
 
 - Cleaned up some documentation around `Origin-Agent-Cluster`

diff --git a/README.md b/README.md
@@ -154,7 +154,7 @@ These directives are merged into a default policy, which you can disable by sett
     style-src 'self' https: 'unsafe-inline';
     upgrade-insecure-requests
 
-`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead.
+`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead. If you want to set _both_ the normal and `Report-Only` headers, see [this code snippet](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560).
 
 You can also get the default directives object with `helmet.contentSecurityPolicy.getDefaultDirectives()`.
 

diff --git a/middlewares/content-security-policy/README.md b/middlewares/content-security-policy/README.md
@@ -46,7 +46,7 @@ You can also get the default directives object with `contentSecurityPolicy.getDe
 
 You can set any directives you wish. `defaultSrc` is required, but can be explicitly disabled by setting its value to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`. Directives can be kebab-cased (like `script-src`) or camel-cased (like `scriptSrc`). They are equivalent, but duplicates are not allowed.
 
-The `reportOnly` option, if set to `true`, sets the `Content-Security-Policy-Report-Only` header instead.
+The `reportOnly` option, if set to `true`, sets the `Content-Security-Policy-Report-Only` header instead. If you want to set _both_ the normal and `Report-Only` headers, see [this code snippet](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560).
 
 This middleware does minimal validation. You should use a more sophisticated CSP validator, like [Google's CSP Evaluator](https://csp-evaluator.withgoogle.com/), to make sure your CSP looks good.