Helmet Connect-Src CSP is present on Dev, but Not on Production? [SOLVED]

vikr00001 · January 25, 2025, 10:42pm

Here’s my helmetOptions.contentSecurityPolicy.directives.connectSrc:

[
  "'self'",
  "http://myDomainName",
  "ws://myDomainName",
  "https://*.myServiceProvider_1.io/",
  "https://*.myServiceProvider_2.com/",
  "https://*.myServiceProvider_3.net/",
  "https://*.google-analytics.com/",
  "https://*.google.com/",
  "https://stats.g.doubleclick.net/",
  "https://analytics.google.com/",
  [.....]
]

It gets added to my site’s CSP and on local dev, everything works as expected.

In the Network tab of browser dev tools, you can see what the CSP looks like as received by the browser. Here’s what it is on local dev for connect-src:

[.....] connect-src 'self' http://myDomainName ws://myDomainName https://*.myServiceProvider_1.io/ https://*.myServiceProvider_2.com/ https://*.myServiceProvider_3.net/ https://*.google-analytics.com/ https://*.google.com/ https://stats.g.doubleclick.net/ https://analytics.google.com/ [.....];

But here’s what it looks like in production, hosted on Galaxy:

[.....]connect-src * 'self';

There’s nothing there – it’s all missing.

How can that be?

Most of the rest of my CSP is on the production site, but there are other anomalies in that CSP as well. I’m listing just this one in the hope that if I fix it, the others will also be fixed.

vikr00001 · January 26, 2025, 12:58am

I think this is something Meteor – or Helmet – is doing, because the Meteor docs seem to think connectSrc should allow everything:

[…] except for connect which allows anything (since meteor apps make websocket connections to a lot of different origins).

… and in production connectSrc has the * that accepts everything:

connect-src * 'self';

vikr00001 · January 27, 2025, 3:12am

Update I was trying out Browser-Policy for a while, and even though nothing in my code was importing it, it still interacted with the csp created by Helmet. However this may not be normal behavior for Browser-Policy. Even after running meteor remove browser-policy, I was still getting deployment errors saying “browser-policy not found”. I was able to fix it by:

Returning to a previous version of the project folder that I had stored in a backup
Downloading the latest code from remote git repo

So possibly there was some sort of file corruption on my local Meteor installation in the old folder.