Skip to main content
All docs
V24.2

How to Use DevExpress Controls with Content Security Policy (CSP)

  • 4 minutes to read

Content Security Policy (CSP) helps detect and mitigate certain attack vectors, including clickjacking, cross-site scripting (XSS), or other code injection-related attacks.

To enable CSP for DevExpress products, you need to apply platform-specific directives. Specify a Content-Security-Policy header or use the <meta> tag to explicitly define authorized functionality with CSP directives.

ASP.NET Web Forms and Bootstrap

<meta http-equiv="Content-Security-Policy" content="default-src 'self';  
      script-src 'unsafe-inline' 'unsafe-eval' 'self';  
      style-src 'unsafe-inline' 'self';  
      img-src 'self' data:" />  

ASP.NET MVC

<meta http-equiv="Content-Security-Policy" content="default-src 'self';  
      script-src 'unsafe-inline' 'unsafe-eval' 'self';  
      style-src 'unsafe-inline' 'self';  
      img-src 'self' data:" />  

Blazor

Blazor WebAssembly

<meta http-equiv="Content-Security-Policy"
      content="base-uri 'self';
               default-src 'self';
               img-src data: https:;
               object-src 'none';
               script-src 'self'
                          'sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA='
                          'wasm-unsafe-eval';
               style-src 'self'
                         'unsafe-inline';
               upgrade-insecure-requests;">

Review the following topic for additional information: Content Security Policy for Blazor Apps.

Blazor Server

<meta http-equiv="Content-Security-Policy" 
      content="base-uri 'self';
               default-src 'self';
               img-src data: https:;
               object-src 'none';
               script-src 'self';
               style-src 'self' 
                         'unsafe-inline';
               upgrade-insecure-requests;">

Read the following help topic for additional information: Content Security Policy for Blazor Apps.

BI Dashboard

The following <meta> tag specifies the minimum required directives for the DevExpress Web BI Dashboard:

<head>
<!--...-->
    <meta http-equiv="Content-Security-Policy" content="default-src 'self';
    img-src data: https: http:;
    script-src 'self' 'unsafe-inline';
    style-src 'self' 'unsafe-inline'; "/>
<!--...-->
</head>

Blazor applications require the unsafe-eval rule in the script-src directive. To remove unsafe-eval from the script-src directive, you must remove the Knockout library (loaded by DxDashboard) and reference it globally.

In ASP.NET Core, ASP.NET MVC, ASP Web Forms, and Blazor applications, implement a nonce-based CSP to remove unsafe-inline from script-src and style-src directives.

For more information, review the following platform-specific CSP help topics:

DevExtreme

<meta
    http-equiv="Content-Security-Policy"
    content="default-src 'self'; 
    img-src https://* data:; 
    child-src 'none';" 
/> 

Review the following help topic for additional information: Content Security Policy for DevExtreme-powered Applications.

DevExtreme-based ASP.NET Core Controls

Specify the <meta> tag with directives and call the AddCspNonce(String) method:

<meta http-equiv="Content-Security-Policy"
    content="default-src 'self'; img-src https://* data:; child-src 'none';
    script-src 'self' 'nonce-allowed-value';"
/>

@Html.DevExtreme().AddCspNonce("allowed-value")
@(Html.DevExtreme().Button()
    .Text("Submit")
)

Review the following topic for additional information: Content Security Policy for DevExtreme-powered ASP.NET Core Applications.

Reporting

The following <meta> tag specifies the minimum required directives for DevExpress Reports:

<head>
<!--...-->
    <meta http-equiv="Content-Security-Policy" content="default-src 'self';
    img-src data: https: http:;
    script-src 'self' 'unsafe-inline';
    style-src 'self' 'unsafe-inline';
    connect-src 'self';
    worker-src 'self' blob:;
    frame-src 'self' blob:;" />
<!--...-->
</head>

Blazor WebAssembly applications require the unsafe-eval rule in the script-src directive.

In ASP.NET Core, ASP.NET MVC, and ASP.NET Web Forms applications and Blazor applications with JavaScript-based controls, you can remove unsafe-inline from script-src and style-src directives.

For more information, review the following platform-specific CSP help topics:

XAF

XAF Blazor

Apply the following directives in the <head> content of the Pages/_Host.cshtml file:

<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy"
        content="base-uri 'self';
        block-all-mixed-content;
        default-src 'self';
        img-src data: https:;
        object-src 'none';
        script-src 'self';
        style-src 'self' 'unsafe-inline';
        upgrade-insecure-requests;">
    <!--...-->
</head>

Review the following topic for additional information: Content Security Policy for XAF-powered Blazor Apps.

XAF Web Forms

Apply the following directives in the <head> content of Default.aspx and Login.aspx files:

<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy" 
          content="default-src 'self';
          script-src 'unsafe-inline' 'unsafe-eval' 'self';
          style-src 'unsafe-inline' 'self';
          img-src 'self' data:" />
    <!--...-->
</head>

Review the following topic for additional information: Content Security Policy for XAF-powered Web Forms Apps.