content-security-policy Header settings

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Kyle
    Senior Member
    • May 2020
    • 143

    content-security-policy Header settings

    Hi,

    We have been requested to ensure we set the "content-security-policy" header.
    What values will get the best security for espocrm?


    Here is a sample of something that does not seem to cause any issues:


    Header set Content-Security-Policy: "default-src https:; object-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline';"


    Not sure if this can be restricted any more or if this maybe as tight as it gets?

    Last edited by Kyle; 11-18-2021, 10:09 AM.
  • novastream
    Member
    • May 2021
    • 61

    #2
    Hi,

    CSP is trial and error but you could try something like this to get an idea whats needed for Espo to work.

    Content-Security-Policy made easy. Build, deploy, and monitor your Content Security Policy today. The most advance tools for maintaining content security policy.

    Comment

    • Kyle
      Senior Member
      • May 2020
      • 143

      #3
      Thanks, I ended up with the following:
      content-security-policy:
      default-src https:; object-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com; style-src https: 'unsafe-inline'; img-src * data:;

      Comment

      Working...