Set Content-Security-Policy: default-src 'self' header

pillarjs · Feb 15, 2017 · 63425d0 · 63425d0
1 parent 7aa2d9c
commit 63425d0
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -5,6 +5,7 @@ unreleased
   * Fully URL-encode the pathname in the 404 message
   * Only include the pathname in the 404 message
   * Send complete HTML document
+  * Set `Content-Security-Policy: default-src 'self'` header
   * deps: debug@2.6.1
     - Allow colors in workers
     - Deprecated `DEBUG_FD` environment variable set to `3` or higher

diff --git a/index.js b/index.js
@@ -249,7 +249,8 @@ function send (req, res, status, headers, message) {
     // response headers
     setHeaders(res, headers)
 
-    // security header for content sniffing
+    // security headers
+    res.setHeader('Content-Security-Policy', "default-src 'self'")
     res.setHeader('X-Content-Type-Options', 'nosniff')
 
     // standard headers

diff --git a/test/test.js b/test/test.js
@@ -255,13 +255,20 @@ describe('finalhandler(req, res)', function () {
       .expect(404, '', done)
     })
 
-    it('should include security header', function (done) {
+    it('should include X-Content-Type-Options header', function (done) {
       request(createServer())
       .get('/foo')
       .expect('X-Content-Type-Options', 'nosniff')
       .expect(404, done)
     })
 
+    it('should includeContent-Security-Policy header', function (done) {
+      request(createServer())
+      .get('/foo')
+      .expect('Content-Security-Policy', "default-src 'self'")
+      .expect(404, done)
+    })
+
     it('should not hang/error if there is a request body', function (done) {
       var buf = new Buffer(1024 * 16)
       var server = createServer()
@@ -287,13 +294,20 @@ describe('finalhandler(req, res)', function () {
       .expect(404, '', done)
     })
 
-    it('should include security header', function (done) {
+    it('should include X-Content-Type-Options header', function (done) {
       request(createServer(createError('boom!')))
       .get('/foo')
       .expect('X-Content-Type-Options', 'nosniff')
       .expect(500, done)
     })
 
+    it('should includeContent-Security-Policy header', function (done) {
+      request(createServer(createError('boom!')))
+      .get('/foo')
+      .expect('Content-Security-Policy', "default-src 'self'")
+      .expect(500, done)
+    })
+
     it('should handle non-error-objects', function (done) {
       request(createServer('lame string'))
       .get('/foo')