Security Middleware
Content Security Policy
Configure Content Security Policy (CSP) with nonce and hash support to protect against XSS attacks and control resource loading.
Basic CSP Configuration
MoroJS provides built-in CSP middleware with support for nonces, hashes, and comprehensive directive configuration.
Enable Content Security Policy
typescript
CSP Directives
- •
defaultSrc- Default source for all resources - •
scriptSrc- Allowed sources for JavaScript - •
styleSrc- Allowed sources for CSS - •
imgSrc- Allowed sources for images - •
connectSrc- Allowed sources for network requests - •
fontSrc- Allowed sources for fonts - •
objectSrc- Allowed sources for plugins - •
mediaSrc- Allowed sources for media
Advanced Configuration
Comprehensive CSP Setup
typescript
Nonce and Hash Support
Using Nonces and Hashes
typescript
Best Practices
Do
- Use nonces for dynamic inline scripts/styles
- Use hashes for static scripts/styles
- Start with reportOnly: true in development
- Set objectSrc: ["'none'"] to block plugins
- Use upgradeInsecureRequests for HTTPS
- Monitor CSP violation reports
Don't
- Use 'unsafe-inline' for scripts
- Use 'unsafe-eval' unless necessary
- Allow '*' for any directive
- Skip CSP for production
- Ignore CSP violation reports
- Use weak CSP policies