Skip to main content

Content security policies

Content Security Policy (CSP) is a browser-level security feature that prevents loading and running content from untrusted sources. CSP protects applications against client-side attacks such as cross-site scripting (XSS) and data injection.

When a browser loads a page, it includes assets such as stylesheets, fonts, and scripts. Without CSP, malicious scripts injected by third parties run undetected. Implement CSP to ensure that only trusted content executes and safeguard enterprise applications against vulnerabilities. Enforce CSP to maintain application security.

Note: If an attack occurs, the browser reports to your application that a violation has occurred. 

CSPs are a set of directives that define approved content sources that the user's browser can load. The directives are sent to the client in the Content-Security-Policy HTTP response header. Each browser type and version follows as much of the policy as possible. If a browser does not understand a directive, it ignores that directive. In other situations, the policy is explicitly followed. Each directive governs a specific resource type that affects what is displayed in a browser. Special URL schemes that refer to specific pieces of unique content (such as data, blob:, and filesystem:) are excluded from matching a policy of any URL and must be explicitly listed. 

CSPs are instances of the Rule-Access-CSP class in the Security category.

To access the content security policies in an application, you can:

  • Use the Application Explorer to list the content security policies in your application.
  • Use the Records Explorer to list all the content security policies that are available to you.

You can specify a CSP on the Security tab of the Application Rule form, as shown in the following figure:

Content security policy.

The value that you select in the Mode section (as shown in the previous figure) of the CSP determines whether the policy is enforced or usage of the policy is reported:

  • Reject and report: Enforce the policy.
  • Report-only Report, but do not enforce the policy.

The Constellation UI provides you with tools to implement compliance with CSP. pyConstellationSecured is a default CSP provided by Pega Platform™ for applications built using the Constellation architecture. Unlike the traditional UI, Constellation does not require the use of unsafe-eval or unsafe-inline in script-src and style-src. For more information, see CSP settings in Constellation.

A CSP helps reduce exposure to a variety of security threats by limiting the content in your application to only the sources that you place on an allow list.

Note: Pega applications return a guardrail warning if the CSP is not defined for the application. It is recommended to use a default policy or create your own policy before migrating to a production environment.

If the mode of the CSP is set as Report only, then the Pega application returns the following guardrail warning on the Application rule form:

This application's Content Security Policy mode has been left in Report-Only mode. This mode will not restrict content on your user's browsers, greatly weakening the policy's usefulness. The policy mode should be set to Reject and Report mode.

Setting the mode of the CSP as Reject and Report is a best practice to strengthen the security of your application. 

If the CSP is enforced, the browser blocks to run the script or resources and displays the following message in the browser console:

Content Security Policy of your site blocks some resources because their origin is not included in the content security policy header.
The Content Security Policy (CSP) improves the security of your site by defining a list of trusted sources and instructs the browser to only execute or render resources from this list. Some resources on your site can't be accessed because their origin is not listed in the CSP.
 
To resolve this issue, carefully verify that all listed blocked resources are trustworthy. If they are, include their sources in the CSP of your site. You can set a policy as an HTTP header (recommended) or by using an HTML <meta> tag.

Caution:  Never add a source that you do not trust to your site's CSP. If you do not trust the source, consider hosting resources on your own site instead.

As a best practice, develop a customized CSP rather than using Pega-provided .pxDefaultAllowAll or .pxDefaultSecured to hide the warning.

Note: The SECU0009 security alert is generated when a browser reports a violation of your application's CSP. The alert message describes the violation as an attempt by an untrusted source to load content.

For details about setting content security policies, see the Policy definition tab on the content security policies form.

CSP best practices for LSAs

To strengthen your application’s security posture, follow these guidelines when configuring CSP:

  • Use restrictive policies to minimize exposure to unauthorized content.
  • Avoid unsafe-inline and unsafe-eval unless required for functionality.
  • Review CSP violation reports regularly.
  • Integrate CSP with Rule Security Mode and Access Control Policies.
  • Iterative CSP deployment:
    • Begin with a restrictive default policy in Report only mode.
    • Continuously monitor violation reports to identify legitimate resource sources.
    • After validating and whitelisting trusted sources, transition to Enforce (Reject) and Report mode.

Check your knowledge with the following interaction:

This Topic is available in the following Module:
If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice