Title: Configuring a Content Security Policy for TeamPage

As of version 6.2.66, administrators can configure a Content Security Policy (CSP) for TeamPage. The applicable settings are under server settings > Network > Features / Tuning > Content Security.

Before adjusting this or TeamPage's other Content Security settings, it's important to have a working understanding of the policy and

TeamPage shows you the current value of the HTTP headers TeamPage will or would send (if CSP is not enabled) per the CSP, as currently configured:

If you choose "yes" for the "Enable Content Security Policy (CSP)" setting, more settings will appear.

The first two settings are related to reporting.

"Report Only" defaults to "yes" so that, initially at least, requests that would have violated the policy will not actually be blocked. This allows you both to test your policy -- you should see the violations logged in your browser's console -- or else to simply allow you audit the violations. You can change this setting to "no" to have compliant browsers actually block these violating requests.

Note that in order to actually receive CSP violation reports, you'll need to enter the URI of a reporting endpoint in the "Report To" setting. This can be a service you or your organization controls or for which it has contracted for (e.g., via a subscription service). If no report URI is present, the browser will probably display information about violations on the console, but will not otherwise report them.

There are also some settings you can use to adjust the allowed origins on a per source type basis.

Note that for each source type setting:

If you're not sure what values to add for each setting, you can experiment by leaving the CSP in report-only mode, and seeing whether your browser console (or reporting system, if you have one) give you any insights into what other sources may be necessary or useful to include. You don't have to take the CSP out of report-only mode until you're ready.

Related Articles
Article: Doc1813 (permalink)
Categories: :Doc:Compliance
Date: August 7, 2023; 4:38:57 PM Eastern Daylight Time

Author Name: Dave Shepperton
Author ID: shep