CSP-headers

Connect middleware that allows you to define a csp policy as a JS object.

tl;dr

var connect = require('connect'),
    csp = require('csp');
var app = connect();
var config = {
    directives: {
        'default-src': 'self'
    }
};

var port = process.env.port || 3001;
var policy = createCSP(config);
var app = connect();
app.use(policy)
   .listen(port);

Check your headers:

$ curl -I http://localhost:3001/

curl -I 127.0.0.1:3001
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'self'
Accept-Ranges: bytes
Date: Fri, 19 Dec 2014 00:01:33 GMT
Cache-Control: public, max-age=0
Last-Modified: Thu, 18 Dec 2014 23:36:49 GMT
ETag: W/"504-3820769223"
Content-Type: text/html; charset=UTF-8
Content-Length: 1284
Connection: keep-alive

Debugging with Firefox

Firefox's Web Console includes a category for security messages can be somewhat helpful for debugging your csp policy: