Introduction / FirstSpirit Server configuration / Configuration files (FirstSpirit Server) / FirstSpirit Server (fs-server.conf) / CSP header

Area: CSP header

securityFilter.ContentSecurityPolicyHeader

By setting a Content Security Policy via the CSP header, the allowed sources of content such as scripts, stylesheets, images, fonts, and more can be defined.

The CSP header can be configured via the SecurityFilter using the ContentSecurityPolicyHeader parameter. This allows the behavior of the CSP header for the FirstSpirit web application fs5root (start page) to be controlled.

Default value:

securityFilter.ContentSecurityPolicyHeader=default-src 'self'; object-src 'none'; style-src 'self'; form-action 'self'; script-src 'self' 'nonce-$NONCE' $UPGRADE_INSECURE $FRAME_ANCESTORS

The following placeholders can be used in the configuration:

  • $NONCE - the nonce value valid for the current HTTP request
  • $FRAME_ANCESTORS - allowed frame embedding according to the frameOptionsHeader property from fs-server.conf.
    The replacement with default settings: ; frame-ancestors 'self'
    If ALLOW_ALL is set, the replacement is an empty string.
  • $UPGRADE_INSECURE - upgrade-insecure-requests according to what is set for the SecurityFilter in the TransportSecurity parameter or its default value.
    The default value is KEEP_SECURE.
    The replacement with default settings:
    • for an HTTPS request: ; upgrade-insecure-requests
    • for an HTTP request the substitution is an empty string

The configuration of CSP headers can also be done via -D start parameters in fs-isolated-wrapper.conf

wrapper.java.additional.##=-DsecurityFilter.ContentSecurityPolicyHeader=... 

or via the SecurityFilter_ContentSecurityPolicyHeader system variable, where the system variable has the lowest priority.

© 2005 - 2024 Crownpeak Technology GmbH | All rights reserved. | FirstSpirit 2024.4 | Data privacy