How to use BrowserPolicy?

I tried adding (with meteor add) and importing:

import { BrowserPolicy } from 'meteor/browser-policy-common';


import { BrowserPolicy } from 'meteor/browser-policy';

But I keep having Cannot read property 'content' of undefined (BrowserPolicy is undefined)

Using Meteor 1.7

Any idea?

It might be linked to this issue. Try using the global.

The first approach should have worked.

There is a PR request to the Guide to promote Helmet and deprecate the old browser policy. So I would recommend taking a look into that.

Honestly you don’t even need the package and can use the WebApp to set browser policy. Like this (with a basic example of some of the policies implemented):

import { WebApp } from 'meteor/webapp';

Meteor.startup(() => {
  WebApp.rawConnectHandlers.use((req, res, next) => {
    // Cache control
    res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate, max-age=0');
    res.setHeader('Pragma', 'no-cache');
    res.setHeader('Strict-Transport-Security', 'max-age=86400; includeSubDomains');
    // Prevent Adobe stuff loading content on our site
    res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');
    // Frameguard -
    res.setHeader('X-Frame-Options', 'DENY');
    // X-XSS protection
    res.setHeader('X-XSS-Protection', '1; mode=block');
    // No content sniffing
    res.setHeader('X-Content-Type-Options', 'nosniff');
    // DNS pre-fetching
    res.setHeader('X-DNS-Prefetch-Control', 'off');
    // Expect CT
    res.setHeader('Expect-CT', 'enforce, max-age=604800');
    // Links referrer policy
    res.setHeader('Referrer-Header', 'same-origin');
    // Prevent IE from executing downloads in page content
    res.setHeader('X-Download-Options', 'noopen');

    // Content security policy
    const csp = [
      res.setHeader('Content-Security-Policy', csp.join(' '));
      return next();

You need to import in on the server, not on the client!

Meteor determines the browser policy when the server starts up, so you should call BrowserPolicy functions on the server in top-level application code or in Meteor.startup . BrowserPolicy functions cannot be used in client code.