Dev: Helmet CSP blocks Vite HMR WebSocket in development #131
Labels
No Label
P0 Critical
P1 High
P2 Medium
P3 Low
accessibility
backend
bug
content
data-integrity
enhancement
frontend
infra
integration
owner
owner-input
performance
performance
phase-7
phase-8
security
seo
ui
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/Queue-North-Website#131
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
Helmet CSP is always enabled, including in development. The CSP connect-src is set to 'self' only.
Vite HMR uses a WebSocket connection to localhost (usually ws://localhost:5173 or a random port), which would be blocked by connect-src: 'self' when the Express server is serving the page on port 3001.
In practice, Vite's proxy config in vite.config.js proxies /api to localhost:3001, so the dev server handles HMR on port 5173. This means CSP from the Express server is not applied during development (the Vite dev server doesn't use Helmet).
So this is NOT currently a bug in dev, but if someone tries to run the built version with HMR or hot reloading, it would fail.
Fix
Either:
if (process.env.NODE_ENV !== 'production') app.disable('content-security-policy')Files
Severity
Low — not currently affecting development, but CSP should be dev-adjustable