Content Security Policy (CSP) in XAF Blazor Apps
- 2 minutes to read
Content Security Policy (CSP) is a built-in browser mechanism that helps you protect your web application against certain types of attacks, such as Cross-Site Scripting (XSS), clickjacking, and data injection. CSP is supported in most modern browsers, including Chrome, Edge, Firefox, Opera, Safari, and mobile browsers. For more information on how to use the Content Security Policy with an ASP.NET Core Blazor application, refer to the following Microsoft topic: Enforce a Content Security Policy for ASP.NET Core Blazor.
To enable CSP protection, specify a Content-Security-Policy
header or use the <meta>
tag and explicitly define authorized functionality with CSP directives. You can list allowed scripts, styles, and external domains that store required resources. Apply the following directives in the <head>
content of the Pages/_Host.cshtml file:
<head>
<!--...-->
<meta http-equiv="Content-Security-Policy"
content="base-uri 'self';
block-all-mixed-content;
default-src 'self';
img-src data: https:;
object-src 'none';
script-src 'self';
style-src 'self' 'unsafe-inline';
upgrade-insecure-requests;">
<!--...-->
</head>
For more information on each directive, refer to the following section: Content-Security-Policy: Directives.
#Reports Module
If you use the Reports Module, list the following directives in the <head>
section of the Pages/_Host.cshtml file. These directives allow print operations.
<head>
<!--...-->
<meta http-equiv="Content-Security-Policy"
content="base-uri 'self';
block-all-mixed-content;
default-src 'self';
img-src data: https:;
object-src 'none';
script-src 'self';
style-src 'self' 'unsafe-inline';
worker-src 'self' blob:;
frame-src 'self' blob:;
upgrade-insecure-requests;">
<!--...-->
</head>
For more information about CSP support in Reports, refer to the following topic: Reports - Content Security Policy.
#Dashboards Module
The Dashboards Module does not require additional customizations. If you encounter any problems, refer to the following topic: Dashboards - Content Security Policy.