Content security policy
Content security policies (CSPs) helps to protect web applications from cross-site-scripting (XSS) and data injection attacks. Grexx Platform includes a default content security policy (CSP) that restricts the scripts and other resources that your application can load to trusted sources.
In some circumstances, you may want to extend the default content security policy so that your application can use additional resources. For example, you may want to:
- Use images or videos from an external source.
- Enable a web analytics tool such as Google Analytics or SiteImprove.
- Embed your application in another application using an iFrame.
- Use a plugin that requires additional resources.
You can extend the default content security policy from My Grexx. From the Security settings, open the Content Security Policies page and add new CSPs. Then, return to the security settings and apply the relevant CSPs to each environment.
When adding items to a Content Security Policy (CSP), it's essential to consider the security of each source. Only add sources you can trust. Including sources that can contain a lot of user defined scripts (such as github.com) is high-risk because any user-uploaded script could be executed on your platform.