From aeb6d5522836e5afd7e3c4476ae32172a8a7efa7 Mon Sep 17 00:00:00 2001
From: "Guilherme M. Petry" <44437770+petry078@users.noreply.github.com>
Date: Tue, 26 Dec 2023 16:48:41 -0300
Subject: [PATCH] Content (Content Security Policy) added to Intro on Web
 Security with Helmet.js

---
 ...23-01-31-intro-on-web-security-with-helmet-js.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/posts/2023-01-31-intro-on-web-security-with-helmet-js.md b/docs/posts/2023-01-31-intro-on-web-security-with-helmet-js.md
index 5d7e1cb..a8d9fd6 100644
--- a/docs/posts/2023-01-31-intro-on-web-security-with-helmet-js.md
+++ b/docs/posts/2023-01-31-intro-on-web-security-with-helmet-js.md
@@ -47,7 +47,18 @@ On `app.js` write `app.use(helmet());` to include all manual configurations list
 
 * `app.use(helmet.noCache());` prevents your user to use cached versions of your application. This can be good when you just pushed a security update.
 
-* `app.use(helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "trusted-cdn.com"] }} ));` Content Security Policy will help protect against data injection attacks, Cross-Site Scripting (XSS), Content Security Policy (CPS) attacks, undesired tracking, malicious frames and more.
+* Content Security Policy:
+
+```js
+app.use(helmet.contentSecurityPolicy({
+	directives:{
+		scriptSrc: ["'self'"],
+		styleSrc: ["'self'"]
+	}
+}))
+```
+
+`scriptSrc` and `styleSrc` with `"'self'"` will restrict the execution of scripts and stylesheets, originated from the same origin as the domain itself. These `directives` enhance security by mitigating Cross-Site Scripting (XSS) and file injection attacks.
 
 > Test repository: [https://replit.com/@GuilhermePetry/boilerplate-infosec](https://replit.com/@GuilhermePetry/boilerplate-infosec)