AI generated response-header middleware while tightening an Express app that serves a React shell.
The React shell uses nonce-bearing inline bootstrap scripts, and application assets are served from same-origin routes.
Select suspicious lines in the terminal to flag them before submitting your verdict.
const crypto = require('crypto');
const helmet = require('helmet');
const express = require('express');
const app = express();
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomUUID();
next();
});
app.use((req, res, next) => {
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", `'nonce-${res.locals.cspNonce}'`],
styleSrc: ["'self'"],
imgSrc: ["'self'", "data:"],
connectSrc: ["'self'"],
fontSrc: ["'self'"],
objectSrc: ["'none'"],
upgradeInsecureRequests: []
}
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
}
})(req, res, next);
});