How to add Content Security Policy Headers to the Web

Hi Everyone,

I would like to seek for help on adding the Content Security Policy (CSP) headers onto the “web” workspace. I did try to use helmet on server.ts but the CSP headers only apply to the backend only.

1 Like

Hi. Could you elaborate your needs a bit more; I confess I haven’t used CSP Content Security Policy (CSP) - HTTP | MDN before.

Is the issue that:

  • need to add the meta
  content="default-src 'self'; img-src https://*; child-src 'none';" />


  • are you deploying serverful (Render, Fly, bare metal, etc) and using the Redwood server file?
  • or, on Vercel/Netlify?
  • do you want the CSP policy to be on all assets or just graphql responses or function responses?
1 Like

Did you try to figure a Fastify plugin on server.ts?

Hi @dthyresson,

Currently, my solution is deployed in docker.

My use case is to have CSP headers in the entire application due to the fact that the below application scan tool reported CSP header in the application.

So far that I have done is to apply Helmet on the server.ts. I have noticed both api endpoints and graphql contains CSP headers .

I do want to have the frontend pages and assets to have the headers as well. Although I have tried to add the CSP headers in vite.config.js file, seems that not all the pages and none of the assets contain the headers .

I am wondering if I can apply helmet onto the web server ?

I did try to add CSP onto the meta tag but i observed that there is no CSP headers in the response headers.

Hi @dthyresson ,

I would like to check with you if there is any way that i can modify webServer.ts (packages/web-server/src/webServer.ts) ?

i am looking to add Fastify Helmet onto the webServer.ts.

Furthermore, I have noticed that the server headers configuration made in viteConfig object of vite.config.ts file is not applied to the frontend when running yarn rw build web. Such changes only reflect in the local development only. Is there a bug ?