Content Security Policy (CSP) in XAF Blazor Apps

Mar 17, 2026
2 minutes to read

Content Security Policy (CSP) is a built-in browser mechanism that helps you protect your web application against certain types of attacks, such as Cross-Site Scripting (XSS), clickjacking, and data injection. CSP is supported in most modern browsers, including Chrome, Edge, Firefox, Opera, Safari, and mobile browsers.

For additional information on how to use the Content Security Policy with an ASP.NET Core Blazor application, refer to the following Microsoft help topic: Enforce a Content Security Policy for ASP.NET Core Blazor.

For general information about CSP support in DevExpress Blazor components, refer to the following topic: Blazor - Content Security Policy.

To enable CSP protection, specify a Content-Security-Policy header or use the <meta> tag and explicitly define authorized functionality with CSP directives. You can list allowed scripts, styles, and external domains that store required resources. Apply the following directives in the <head> section of the Pages/_Host.cshtml file:

<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy"
        content="base-uri 'self';
        default-src 'self';
        img-src data: https:;
        object-src 'none';
        script-src 'self';
        style-src 'self';
        upgrade-insecure-requests;">
    <!--...-->
</head>

For additional information on each directive, refer to the “Directives” section of the following topic: Content-Security-Policy (CSP) header.

Important

To safeguard your application, always validate inline CSS styles defined in application code. Do not include user input in inline styles unless it is properly escaped/validated. Such inline styles may expose data and introduce security-related risks.

Office Module

If you use the Office Module, the DxRichEdit component will not work with the default CSP settings. You will have to allow inline styles in this case.

<!--...-->
    style-src 'self' 'unsafe-inline';
<!--...-->

Reports Module

If you use the Reports Module, list the following directives in the <head> section of the Pages/_Host.cshtml file. These directives allow print operations.

<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy"
        content="base-uri 'self';
        default-src 'self';
        img-src data: https:;
        object-src 'none';
        script-src 'self';
        style-src 'self';
        worker-src 'self' blob:;
        frame-src 'self' blob:;
        upgrade-insecure-requests;">
    <!--...-->
</head>

Dashboards Module

If you use the Dashboards Module, you should either allow inline styles or use a nonce-based CSP for the style-src directive.

Additional Limitations and Considerations

You can find more complete information on limitations and security considerations in the following help topics:

Controls

FREE UTILITIES

Controls and Extensions

FREE UTILITIES

Controls

FREE UTILITIES

Controls and Extensions

FREE UTILITIES

Office Module

Reports Module

Dashboards Module

Additional Limitations and Considerations