Cursor generated Express middleware for the public web app and API.
The React SPA loads bundled scripts from the same origin and calls the same-origin API. There are no third-party script tags in the current page template.
Select suspicious lines in the terminal to flag them before submitting your verdict.
const helmet = require('helmet');
const app = express();
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
connectSrc: ["'self'"],
imgSrc: ["'self'", "data:"]
}
},
hsts: {
maxAge: 31536000,
includeSubDomains: true
},
referrerPolicy: { policy: 'no-referrer' }
}));
app.listen(3000);