"Missing OWASP secure headers" error in zoom client mac

Hello, @everyone. I am facing error Missing OWASP Secure Headers: ["X-Content-Type-Options","Content-Security-Policy","Referrer-Policy"] for URL in mac zoom client.

image736×402 32.5 KB

<Helmet>
        <meta http-equiv="X-Content-Type-Options" content="nosniff" />
        <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:; script-src 'self' https://example.vercel.app/; style-src 'self'; img-src *; font-src 'self' data:;" />
        <meta name="referrer" content="no-referrer" />
</Helmet>

The app was built in React.js and it works properly in windows zoom desktop client.
What should I do to get the page loading exactly in mac zoom client?
Kindly help me please
Thank you

It looks like you’re using react-helmet to set meta tags in the client side. Instead, these values should be set as headers that should be sent by the server when the page is requested. In other words, by the time the client receives this page with the meta tags set, it is too late to change the headers.

react-helmet is designed to set data in the HEAD tag of a react app. To set the headers you should use a method on the server side. If you are using Express to serve this application, you can use a similarly named package called ‘helmet’ to set HTTP headers:

Let me know if that helps.

@MaxM Thank you for your reply.

I used zoomapps-sample-js as a backend. I am just calling endpoint from the back-end. So I don’t have any express server for now. To resolve this problem, should I build the express server and run the front-end on it?

Thank you again

The Basic Sample App includes an express server that will set these headers so you can run that to get started. Regardless of the backend that you use, you want these headers to be set.

I just build the express backend and set the Secure header

But I’m still getting this error - Missing OWASP Secure Headers: ["Strict-Transport-Security","X-Content-Type-Options","Content-Security-Policy","Referrer-Policy"] for URL

My code is here

app.use(helmet.contentSecurityPolicy({
    directives: {
        defaultSrc: ["'self'"],
        styleSrc: ["'self'", "'unsafe-inline'"],
        scriptSrc: ["'self'", "'unsafe-inline'", "https://appssdk.zoom.us"],
        connectSrc: ["'self'", `wss://https://example.herokuapp.com/sockjs-node`],
        imgSrc: ["'self'", 'data:', 'https://images.unsplash.com'],
        baseUri: ["'self'"],
        formAction: ["'self'"]
    }
}));
app.use(helmet.frameguard({ action: 'sameorigin' })); 
app.use(helmet.referrerPolicy({ policy: 'same-origin' })); 
app.use(helmet.hsts({ maxAge: 31536000 }));
app.use(helmet.noSniff());

I’m not sure the error is really related with the secure headers

I tried to fetch URL in zoom app console - fetch("https://example.herokuapp.com/");
Then I get the below error

I set the cors and secure headers in express server. What I wanna say is that all works well in windows zoom client.

Hi @MaxM i’m facing the same issue , i added the headers from the front end and also from the backend .net still i’m getting this error

my app is working fine in the windows and linux , but showing the [Error] Missing OWASP Secure Headers: [“X-Content-Type-Options”,“Content-Security-Policy”,“Referrer-Policy”] for URL in macos

Hey Guys, iam Getting the same issue on my side has any buddy figure it out yet ?

For those of you encountering issues, first check the network tab of the developer console when testing your web page and ensure that you can see the headers are being sent.

If there is an instance where you are sending all headers and still seeing this issue please send a screenshot of what you are seeing in the headers section of the network tab.

What was the solution here. Same problem

Hey @Mikron,
@Mikron ,
This topic was covered in a recent Zoom App workshop. You can watch the recording here:

The solution is to ensure you’re setting the correct headers on your server. For more information, check out our support documentation on this topic: