Skip to content

Configuring Content Security Policy

This guide describes how you can configure the Content Security Policy of your application. Read Content Security Policy concept for more details and security background of this policy.

Configuring the Content Security Policy of your Application

Configuring Content Security Policy header, prevents from possible attacks and execution of malicious content or code and makes your application more secure.
For more information click on the link why you should use it.

Prerequisites

  • You need to have access to tenant with the mdsp:core:Developer or mdsp:core:DeveloperAdmin role.
  • You need to have access to the Developer Cockpit.
  • The application must be available on your Launchpad and in a unregistered state in order to change the settings.
    Read First cloud foundry to create the application in Developer Cockpit.

Changing the CSP Configuration

  1. Go to your Launchpad and open Developer Cockpit.
  2. Open your application from application overview.
  3. Click on the edit button to modify the Content Security Policy for the configuration item cspHeader.
  4. Change the values and click on update.
    By default, Gateway adds the following cspHeader for web applications.

        Content-Security-Policy: default-src 'self' static.{env}.{mindsphere-domain}; style-src * 'unsafe-inline'; script-src 'self' 'unsafe-inline' static.{region}.{ mindsphere-domain }; img-src * data:
    

    To understand about individual configuration items and configure more rules for cspHeader go to the Defaults & Recommendations section of Content security policy concept.

  5. Save the changes.

  6. Register the application.

Your changes are now active, the Gateway adds your cspHeader configuration to your application and you can check the response headers if the Gateway delivers the correct Content-Security-Policy header.

CSP Configuration in the Developer Cockpit


Last update: March 17, 2023

Except where otherwise noted, content on this site is licensed under the Development License Agreement.