CSP

This page will show you the step to configure CSP (Content-Security-Policy) response header for your site. Refer this MDN link for more details.

It allows website administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (Cross-site_scripting).

Note: For demo purpose, we will be using www.nviztest.com domain as an example.

Prerequisite#

1. You must have a domain configured on Nitrogen.

Steps#

1. Click on Security menu, and open CSP tab.
   

2. You will be taken to screen to provide details.
   Content Security Policy: Enter the values permitted for this header, and required for your domain:
   e.g.
   

   • upgrade-insecure-requests: instructs user agents to treat all of a site’s insecure URLs (served over HTTP) as though they have been replaced with secure URLs (served over HTTPS).
     
   • self: Only allow resources from the current origin.
     
   • frame-src: Specifies valid sources for nested browsing contexts loading using elements such as frame and iframe elements
     
   • frame-ancestors: Specifies valid parents that may embed a page using frame, iframe, object, or embed elements

   Note: Refer this MDN link for more details.
   
   

   

3. Click on Save button.
   

Notes#

These changes will only take effect when deployed. Saving them will only be saving them in draft. Please refer documentation about Deploy process for it.