Merge pull request #2713 from BigGillyStyle/patch-1

kamilmysliwiec · web-flow · commit 65b5bce51f03 · 2023-04-27T09:17:37.000+02:00
Update helmet.md to work with Apollo v4 and Apollo Sandbox
diff --git a/content/security/helmet.md b/content/security/helmet.md
@@ -20,6 +20,21 @@ import helmet from 'helmet';
 app.use(helmet());
 ```
 
+> warning **Warning** When using `helmet`, `@apollo/server` (4.x), and the [Apollo Sandbox](https://docs.nestjs.com/graphql/quick-start#apollo-sandbox), there may be a problem with [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) on the Apollo Sandbox. To solve this issue configure the CSP as shown below:
+>
+> ```typescript
+> app.use(helmet({
+>   crossOriginEmbedderPolicy: false,
+>   contentSecurityPolicy: {
+>     directives: {
+>       imgSrc: [`'self'`, 'data:', 'apollo-server-landing-page.cdn.apollographql.com'],
+>       scriptSrc: [`'self'`, `https: 'unsafe-inline'`],
+>       manifestSrc: [`'self'`, 'apollo-server-landing-page.cdn.apollographql.com'],
+>       frameSrc: [`'self'`, 'sandbox.embed.apollographql.com'],
+>     },
+>   },
+> }));
+
 #### Use with Fastify
 
 If you are using the `FastifyAdapter`, install the [@fastify/helmet](https://github.com/fastify/fastify-helmet) package:
