Skip to content

Content Security Policy (CSP)

About Content Security Policy (CSP)

Content Security Policy (CSP) is a standard to describe resources used on a webpage, in order to prevent attacks. CSP can be described as an added layer of security to detect and mitigate certain types of attacks. Attacks such as cross-site scripting (XSS), clickjacking and other code injections. To enable SCP you add extra information to your HTTP Header: 'Content-Security-Policy'. CSP is currently supported by most popular browsers, like Chrome, Firefox, Safari and MS Edge.

Note

For more information on CSP please go to the Mozilla Documentation Guide.

How do I configure CSP?

To configure CSP in the Onegini software:

  1. Go to the Customer Identity Access Manager -> Click the tab Smart Security -> Click the tab Content Security Policy on the right.
  2. The window Content Security Policy Header Configuration opens:

  3. There are 4 modes to choose from:
Mode Description
Disable content security policy If this mode is selected, Content Security Policy is disabled. This the default mode.
Enable content security policy If this mode is selected, Content Security Policy is enabled with the defined directives. Report is not enabled.
Enable content security policy in report only mode If this mode is selected, the Content Security Policy is enabled and the report is sent, but in a 'report-only-mode'. This means the report will not block any content.
Enable content security policy and enable reporting if this mode is selected the Content Security Policy is enabled and reporting is enabled as well, blocking content that might be harmful.

Note

A default header for standard CIM-templates is available, called Content-Security-Policy: default-scr 'self'.

  1. Click the [Get default]-button to use the default header.
  2. Modify the default header to include your specific resources like JavaScript files, styles and fonts.

Note

If you add script-src 'self' 'nonce-{nonce}', the {nonce} will automatically be replaced by a random value. This nonce (random value) is added to scripts that are included in the templates.