Consider an Express app that uses app.use(helmet()) with no options. What does this do?
const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet()); app.get('/', (req, res) => res.send('Hello')); app.listen(3000);
Think about what Helmet does by default without extra options.
Helmet by default sets multiple security headers like X-DNS-Prefetch-Control, X-Frame-Options, Strict-Transport-Security, and others with safe defaults to protect the app.
You want to disable the Content Security Policy (CSP) middleware in Helmet. Which code snippet is correct?
Check Helmet's option object syntax for disabling specific middleware.
Helmet accepts an options object where setting contentSecurityPolicy: false disables that middleware.
Review this code snippet and identify why it throws an error when starting the server.
const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet.contentSecurityPolicy()); app.listen(3000);
Check how Helmet middleware functions are accessed.
helmet.contentSecurityPolicy is not directly callable unless imported separately. The correct way is to use helmet() or import the middleware from 'helmet'.
Given this Express app code, which security header will NOT be set?
const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet({ frameguard: false, dnsPrefetchControl: false })); app.get('/', (req, res) => res.send('OK')); app.listen(3000);
Look at which middleware are disabled explicitly.
Setting frameguard: false and dnsPrefetchControl: false disables those headers. Other default headers remain set.
In a React single-page app served by Express with Helmet, why must the Content Security Policy (CSP) be configured carefully?
Think about what CSP blocks and how React uses scripts and styles.
React apps often use inline scripts or styles during development or runtime. A strict CSP without allowing these will block them, breaking the app.