CSP Configuration for React Apps
Configure Content Security Policy for React applications. Handle JSX, styled-components, CSS-in-JS, Create React App, and common React library CSP requirements with practical examples.
Detailed Explanation
CSP for React Applications
React applications have specific CSP requirements due to their rendering model, CSS-in-JS usage, and build tooling. A well-configured CSP protects your React app without breaking its functionality.
Baseline Policy for React
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://api.example.com
Most React apps need:
script-src 'self'— bundled JavaScript filesstyle-src 'self' 'unsafe-inline'— for CSS-in-JS libraries (ideally use nonces instead)img-src 'self' data:— for inline images and iconsconnect-src— for API endpoints
CSS-in-JS Libraries
styled-components injects <style> tags at runtime. Without CSP support:
style-src 'unsafe-inline' // Works but insecure
With nonce support (styled-components v5+):
// Server-side: pass nonce to StyleSheetManager
import { StyleSheetManager } from 'styled-components';
<StyleSheetManager nonce={nonce}>
<App />
</StyleSheetManager>
Emotion / MUI also supports nonces via the CacheProvider:
import createCache from '@emotion/cache';
const cache = createCache({ key: 'css', nonce: nonce });
Create React App (CRA)
CRA's development server uses inline scripts for Hot Module Replacement. For development:
script-src 'self' 'unsafe-eval' 'unsafe-inline'
For production builds, CRA generates external script files, so you can use a strict policy:
script-src 'self'
If using INLINE_RUNTIME_CHUNK=false in .env, CRA will not inline the Webpack runtime, making a strict script-src fully compatible.
React Helmet for Meta CSP
While the <meta> tag approach has limitations (no report-uri, no frame-ancestors), React Helmet can set a CSP meta tag for SPAs without server control:
<Helmet>
<meta httpEquiv="Content-Security-Policy"
content="default-src 'self'; script-src 'self'" />
</Helmet>
Common React Library Requirements
| Library | CSP Requirement |
|---|---|
| React Router | No special CSP needed |
| Redux | No special CSP needed |
| styled-components | style-src nonce or 'unsafe-inline' |
| Material UI | style-src nonce (Emotion) |
| React Query | connect-src for API origins |
| Recharts/D3 | style-src 'unsafe-inline' or nonce for dynamic SVG styles |
Production Checklist
- Remove
'unsafe-eval'(not needed in production React) - Replace
'unsafe-inline'with nonces for style-src - Verify all API endpoints are in connect-src
- Test with report-only mode before enforcing
Use Case
React is the most popular frontend framework, and most React apps need CSP configuration. SPAs built with Create React App, Vite, or custom Webpack configs all generate bundled scripts that work with script-src 'self'. The main challenge is CSS-in-JS libraries that require style-src configuration. Teams migrating from no CSP to a strict policy benefit from understanding React-specific requirements.