Identity Cloud

Configure Content Security Policy

What is Content Security Policy?

Content Security Policy (CSP) is a browser security feature that mitigates common web security threats (such as cross-site scripting and clickjacking) by explicitly defining what resources a website may load. CSP can be implemented by defining a set of policy directives in the HTTP headers of a website. It is enforced at the browser level, with all browsers supporting a common set of policy directives.

There are two types of CSP:

Report-only policy

Set in the Content-Security-Policy-Report-Only HTTP header, the browser will not enforce the defined policy directives but will report violations.

Enforced policy

Set in the Content-Security-Policy HTTP header, the browser will enforce the defined policy directives.

For more information, refer to Content-Security-Policy.

Identity Cloud lets you configure CSP to restrict access to resources used by your tenant environments or to restrict your tenant environment as a resource used by other websites. You can configure CSP to allow hosted pages to be embedded in your website, to allow hosted pages to use a script from an external domain, or to report policy violations to the browser console or a monitoring service. Identity Cloud also gives you the flexibility to configure CSP for your own use cases.

CSP configuration is dynamic, so you need to configure it separately in each of your environments. You configure it using the UI, which lets you select policy directives to build an enforced policy, a report-only policy, or both. After you have configured your policies or made policy changes, you can apply them to your environment. Policies apply to both realms.

Default policies

Report-only policy

By default, the following report-only policy is set in each of your Identity Cloud tenant environments:

Content-Security-Policy-Report-Only: frame-ancestors 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'

Enforced policy

By default, no enforced policy is set in your Identity Cloud tenant environments.

Configure CSP using the UI

  1. In the Identity Cloud admin UI, open the Tenant menu (upper right), then go to settings Tenant Settings > Global Settings > Content Security Policy.

  2. Click the Enforced Policy tab or the Report Only Policy tab to choose the policy type you want to configure.

  3. Review any existing policy directives:

    • To edit a directive:

      1. Click its ellipsis icon (more_horiz), then click Edit.

      2. In the Directive Sources modal, use the available fields to reconfigure the directive. The available fields vary according to the specification of the directive:

        • Refer to Directives for information on the available fields for a particular directive.

        • Refer to Values for information on the meaning of directive values.

      3. Click Save.

    • To delete a directive:

      1. Click its ellipsis icon (more_horiz), then click Delete.

      2. In the Delete Directive? modal, click Delete.

  4. To add a new policy directive:

    1. Click + Add Directive.

    2. In the Add Directive modal, select a directive from the list. The list does not show existing directives.

    3. In the Directive Sources modal, use the available fields to configure the directive. The available fields vary according to the specification of the directive:

      • Refer to Directives for information on the available fields for a particular directive.

      • Refer to Values for information on the meaning of directive values.

    4. Click Save.

  5. Repeat step 4 until you have added all the policy directives you require.

  6. If the policy status is Inactive, click Activate.

  7. Click Publish to apply the policy to your tenant environment in both realms. The Publish button appears in a banner at the top of the Content Security Policy page as soon as you make any changes.

CSP use cases

Allow hosted pages in iframes

By default, Identity Cloud hosted pages cannot be embedded in a website unless both hosted pages and website are on the same domain. This prevents a bad actor from simply embedding your hosted pages login screen in their website and stealing end-user credentials.

To permit a parent website to embed Identity Cloud hosted pages in an iframe, use the frame-ancestors policy directive and specify the domain of a valid parent website (or a comma-separated list of domains if there is more than one valid parent website):

  1. For your report-only policy:

    1. Use the instructions in Configure CSP using the UI to add or update the frame-ancestors policy directive:

      Content-Security-Policy-Report-Only: ... frame-ancestors 'self' <domain>(1)
      1 Replace <domain> with the domain of the valid parent website; for example, id.mycompany.com.

    2. Test the parent website and check the browser console to ensure there are no report-only policy violations for the frame-ancestors policy directive.

  2. For your enforced policy:

    Use the same approach as in step 1a and step 1b to add of update the following policy directive:

    Content-Security-Policy: ... frame-ancestors 'self' <domain>;

Allow hosted pages to use a script from an external domain

By default, you cannot use a script in Identity Cloud hosted pages unless both script and hosted pages are on the same domain.

To permit a script from an external domain in Identity Cloud hosted pages, use the script-src policy directive and specify the domain of a valid source website (or a comma-separated list of domains):

  1. For your report-only policy:

    1. Use the instructions in Configure CSP using the UI to add or update the frame-ancestors policy directive:

      Content-Security-Policy-Report-Only: ... script-src: 'self' <domain>(1)
      1 Replace <domain> with the domain of the valid source website; for example, cdn.cookielaw.org.

    2. Test hosted pages and check the browser console to ensure there are no report-only policy violations for the script-src policy directive.

  2. For your enforced policy:

    Use the same approach as in step 1a and step 1b to add of update the following policy directive:

    Content-Security-Policy: ... script-src 'self' <domain>;

Report to a monitoring service

By default, CSP policy violations are logged to the browser console so are contained to each end user’s computer or device. To configure policy violations for all end users to be logged to a monitoring service, add the report-uri policy directive and specify an endpoint set up to receive CSP policy violation JSON payloads. The following example configures the CSP report monitoring service provided by Report URI to monitor report-only policy violations:

Content-Security-Policy-Report-Only: ... report-uri https://<subdomain>.report-uri.com/r/d/csp/reportOnly;

The following example uses the same approach to monitor enforced policy violations:

Content-Security-Policy: ... report-uri https://<subdomain>.report-uri.com/r/d/csp/enforce;
Copyright © 2010-2024 ForgeRock, all rights reserved.