You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[How do I upgrade from Helmet 3 to Helmet 4?]({{< ref "faq/helmet-4-upgrade" >}})
11
11
-[How do I set a Content Security Policy nonce?]({{< ref "faq/csp-nonce-example" >}})
12
12
-[How do I set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only` headers?](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560)
13
+
-[How do I set legacy Content Security Policy headers?]({{< ref "faq/legacy-csp-headers" >}})
13
14
-[How should I use Helmet with non-document responses?]({{< ref "faq/non-documents" >}})
14
15
-[How do I set a custom `X-Powered-By` header?]({{< ref "faq/custom-x-powered-by" >}})
15
16
-[How do I disable blocking with the `X-XSS-Protection` header?]({{< ref "faq/x-xss-protection-disable-blocking" >}})
title: How do I set legacy Content Security Policy headers?
3
+
---
4
+
5
+
In Helmet v3 and `helmet-csp` v2, there is a `setAllHeaders` option. This sets the modern `Content-Security-Policy` header and the legacy `X-WebKit-CSP` and `X-Content-Security-Policy` headers.
6
+
7
+
In Helmet 4+, this option was removed. To achieve the same effect, add this middleware after you use Helmet:
8
+
9
+
```js
10
+
// Make sure to use this AFTER you use Helmet's middleware.
0 commit comments