Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Custom CSP for Payload in Express server with frontend app

default discord avatar
58bitslast year

Posting here in case anyone else comes across this. We have a custom express server serving both Payload and our frontend app. Payload admin is available via

/admin

The frontend app and Payload have quite different CSP settings. If you're using

https://helmetjs.github.io/

- then you can chain helmet middleware and return different policies depending on the request path. For example...



// CSP policy via helmet
app.use(function (req, res, next) {
  let middleware
  // If we've mounted Payload CMS on /admin - change the CSP to suit.
  if (req.path.startsWith('/admin')) {
    middleware = helmet({
      contentSecurityPolicy: {
        'script-src': [
            "'self'"
          ],
          'img-src': ["'self'", 'data:', 'cdn.yourcdn.com'],
          'media-src': ["'self'", 'data:', 'cdn.yourcdn.com'],
          'default-src': ["'self'"]
      }
    })
  } else {
    middleware = helmet({
      crossOriginEmbedderPolicy: false,
      contentSecurityPolicy: {
        // NOTE: Remove reportOnly when you're ready to enforce this CSP
        // reportOnly: true,
        directives: {
          'connect-src': [
            ENVIRONMENT === 'development' ? 'ws:' : null,
            "'self'",
          ].filter(Boolean),
          'script-src': [
            "'strict-dynamic'",
            "'self'", // Ignored by CSP 3 compliant browsers when strict-dynamic - here for backwards compat.
            "'unsafe-inline'", // Ignored by CSP 3 compliant browsers when strict-dynamic - here for backwards compat.
            'https:', // Ignored by CSP 3 compliant browsers when strict-dynamic - here for backwards compat.
            'http:', // Ignored by CSP 3 compliant browsers when strict-dynamic - here for backwards compat.
            (_, res) => `'nonce-${res.locals.cspNonce}'`
          ],
          'script-src-attr': [
            (_, res) => `'nonce-${res.locals.cspNonce}'`
          ],
          'font-src': ["'self'"],
          'frame-src': ["'self'"],
          'img-src': ["'self'", 'data:', 'cdn.yourcdn.com'],
          'media-src': ["'self'", 'data:', 'cdn.yourcdn.com'],
          'default-src': ["'self'"],
          'upgrade-insecure-requests': null
        }
      }
    })
  }

  middleware(req, res, next)
})

Hope this helps ;-)

    Open

    Continue the discussion in Discord

    Star on GitHub

    Star

    Chat on Discord

    Discord

    online

    Can't find what you're looking for?

    Get dedicated engineering support directly from the Payload team.