Welcome to the OpenCities help centre. Search for what you're after, or browse the categories.
Can't find what you're looking for? Submit a support ticket and we'll be in touch.

Follow

Content Security Policy

avatar of OpenCities Product Team

OpenCities Product Team

Last updated

Visit the Content Security Header Management screen to manage the Content Security Policy HTTP Header for the current group.

This task can be undertaken by users with the following rolesOC Developer 

This is a security header used by the browser to better control from where different resources (such as scripts, style sheets, images, media, fonts, etc) in your website can be loaded from. It helps to mitigate against common attacks like cross site scripting, man in the middle, click-jacking, etc.


Set up CSP for your site

  1. From the main menu navigate to More > Content Security Management
  2. Enable the ‘Generate violation report’ checkbox. In this state the application will gather violation reports from browser and saves them to the database for review.
  3. Open the site in a new browser session to test for the header. The header is not rendered when the site is being previewed.
  4. Enter the your directive for example: frame-ancestors 'self'; default-src 'self';
  5. Test the header across multiple browsers. Since this is a fast changing header specification, please ensure to test the header across multiple browsers and look for any console messages related to the header. The violations registered may differ based on the browsers.
  6. Resolve violated directives. Although best effort is made to ensure that the header is valid when using the automatic 'Resolve' option, it's always recommended to review the header and ensure that there are no error messages in browsers related to the header, before deactivating the "report-only" mode. Once unchecked, any header violation would be blocked by the browser.
  7. Un-check ‘Generate violation report’ to save your changes and publish the header


Note: No backup option is provided for current header value. Please copy them locally before modifying to protect against any accidental changes.

For more information please refer to the header MDN documentation.

Was this article helpful?
0 out of 0 found this helpful