How everything works is pretty straight forward with Helmet. You specify the security measures you want to implement by choosing and applying a specific Helmet middleware function and Helmet will do the work of setting the right headers that will be sent to the client.
In the client side (web browser), everything just works by its own. The web browser is in charge of interpreting the headers sent by the server and applying the security policies. This also means that old browsers cannot support or understand all these headers. Saying that, there are not many good reasons why you would want to support old web browsers if you have security in mind for your application.
If you are using Chrome, for instance, you should be able to see something similar to this in the console:
- In the Terminal, you should be able to see similar output to the following that is sent by the browser:
CSP Report Violation: {
"csp-report": {
"document-uri": "http://localhost:1337/",
"referrer": "",
"violated-directive": "img-src",
"effective-directive": "img-src",
"original-policy": "default-src 'none'; script-src
'[nonce]'; report-uri /csp-violation",
"disposition": "enforce",
"blocked-uri": "http://evil.com/pic.jpg",
"line-number": 9,
"source-file": "http://localhost:1337/",
"status-code": 200
}
}
CSP Report Violation: {
"csp-report": {
"document-uri": "http://localhost:1337/",
"referrer": "",
"violated-directive": "script-src",
"effective-directive": "script-src",
"original-policy": "default-src 'none'; script-src
'[nonce]'; report-uri /csp-violation",
"disposition": "enforce",
"blocked-uri": "inline",
"line-number": 9,
"status-code": 200
}
}
CSP Report Violation: {
"csp-report": {
"document-uri": "http://localhost:1337/",
"referrer": "",
"violated-directive": "script-src",
"effective-directive": "script-src",
"original-policy": "default-src 'none'; script-src
'[nonce]'; report-uri /csp-violation",
"disposition": "enforce",
"blocked-uri": "http://evil.com/evilstuff.js",
"status-code": 200
}
}