Content Security Policy (CSP)¶
About Content Security Policy (CSP)¶
Content Security Policy (CSP) is a standard to describe resources used on a webpage, in order to prevent attacks. CSP can be described as an added layer of security to detect and migitate certain types of attacks. Attacks such as cross-site scripting (XSS), clickjacking and other code injections. To enable SCP you add extra information to your HTTP Header: 'Content-Security-Policy'. CSP is currently supported by most popular browsers, like Chrome, Firefox, Safari and MS Edge.
For more information on CSP please go to the Mozilla Documentation Guide.
How do I configure CSP?¶
To configure CSP in the Onegini software:
- Go to the Customer Identity Access Manager -> Click the tab
Smart Security-> Click the tab
Content Security Policyon the right.
- The window Content Security Policy Header Configuration opens:
- There are 4 modes to choose from:
|Disable content security policy||If this mode is selected, Content Security Policy is disabled. This the default mode.|
|Enable content security policy||If this mode is selected, Content Security Policy is enabled with the defined directives. Report is not enabled.|
|Enable content security policy in report only mode||If this mode is selected, the Content Security Policy is enabled and the report is sent, but in a 'report-only-mode'. This means the report will not block any content.|
|Enable content security policy and enable reporting||if this mode is selected the Content Security Policy is enabled and reporting is enabled as well, blocking content that might be harmful.|
A default header for standard CIM-templates is available, called Content-Security-Policy: default-scr 'self'.
- Click the [Get default]-button to use the default header.