Configuring content security policy headers for browser based security
The Content Security Policy (CSP) is a security standard that modern browsers support to prevent malicious content from loading in your application. Enabling the CSP header helps protect against security vulnerabilities such as cross-site scripting (XSS) and other injection attacks. Configure CSP headers according to your UI customizations and third-party integrations, as it controls the sources from which scripts, styles, and other resources load.
BMC Helix Innovation Suite supports the following CSP Headers, as defined in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/ -
- Object-Src
- Script-Src
- Style-Src
- Img-src
- Font-src
- Connect-src
- Media-src
- Base-uri
- Form-action
- Worker-src
To manage the CSP settings
Review the following procedures to enable or customize CSP headers for your application:
- To enable all supported CSP headers with their default values, set the Enable-CSP-Header CCS parameter. For more information, see Configuration settings E-M.
- To configure custom values for specific CSP directives in addition to the default values, see Configuration settings C-D.
- To add CSP configuration settings in Centralized Configuration, see Updating configuration settings by using the AR System Configuration Generic UI form.
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*