Skip to main content

Developing an Application

 

OutSystems

Apply Content Security Policy

To protect against a growing number of attacks on the Web, use the Content Security Policy (CSP) against code injection attacks in applications developed with OutSystems. CSP basically provides a standard way of declaring approved origins of content that browsers are allowed to load.

CSP is configured using directives that are sent to browsers in specific HTTP headers. This way, when browsers run pages of your applications, they know from which location and/or which type of resources to load.

It is advisable that you configure the CSP in every environment. Start with the allowed sources in an environment, for all its applications. Then, specify the sources per application, as needed, to override the general configuration.

The CSP configuration works for both web and mobile applications developed with OutSystems.

 

To configure the CSP in all environments, use the management console of your infrastructure (LifeTime):

  1. Go to the Infrastructure section to see all environments;
  2. In an environment, select the Environment Security option;
  3. Enable CSP;
  4. Configure directives, with one value per line.

To configure CSP for an application:

  1. Also in LifeTime, select the Applications section, and then the application;
  2. Select the Security Settings option;
  3. <meta charset="utf-8"/>In the drop list, select the environment to which the settings will apply;
  4. Enable CSP;
  5. Configure directives, with one value per line.

If you don’t have LifeTime installed, configure CSP in each environment using its management console (Service Center):

  1. In the Administration section, select the Security option;
  2. Enable CSP;
  3. Configure directives, with one value per line.

To configure CSP for an application:

  1. Select the Factory section and then the application
  2. Select the Security tab;
  3. Enable CSP;
  4. Configure directives, with one value per line;

Once CSP is set, you can monitor the blocked resources using the management console of the environment (Service Center):

  1. Go to the Monitoring section and select the Errors option;

  2. Set the eSpace filter to CSPReport to only see the resources blocked by CSP.

When configuring CSP take into account the following risks of misconfiguration:

Missing policies
Make sure you configure policies that allow all sources used in your applications. Otherwise, users may stumble upon things like videos that are not shown or CSSs that are not applied.
Too permissive policies
Be especially cautious when allowing resources to be loaded from everywhere (by using * in the domain list). Hackers may take advantage of links, scripts, or other resources in your applications to redirect users to malicious pages.

Directives reference

The list of available directives to configure Content Security Policy in the OutSystems platform is described in the table below.

Directive

Reason

Default values

Base-uri

The domains which can be used as base URL for applications screens.

The following source expressions are allowed: self.

self

Child-src

The domains which applications are allowed to embed framed.

The following source expressions are allowed: self and *.

self

Connect-src

The domains from which applications are allowed to load resources using script interfaces.

The following source expressions are allowed: self and *.

self

Default-src

The domains from which applications are allowed to load resources, by default.

Any resource type dedicated directive (like object-src or img-src) that is not defined will inherit this configuration.

The following source expressions are allowed: self, data: and *.

self

Font-src

The domains from which applications are allowed to load fonts.

The following source expressions are allowed: self, data: and *.

self

data:

Img-src

The domains from which applications are allowed to load images.

The following source expressions are allowed: self, data: and *.

self

data:

Media-src

The domains from which applications are allowed to load media files.

The following source expressions are allowed: self, data: and *.

-

Object-src

The domains from which applications are allowed to load objects (for <object>, <embed> and <applet> elements).

The following source expressions are allowed: self and *.

-

Plugin-types

The valid plugins that the user browser may invoke

-

Script-src

The domains from which applications are allowed to load scripts.

The following source expressions are allowed: self, data: and *.

self

Style-src

The domains from which applications are allowed to load styles.

The following source expressions are allowed: self, data: and *.

self

Frame-ancestors

The domains which are allowed to embed applications in a frame.

The following source expressions are allowed: self and *.

self

Referrer

The information that will be included in the referrer header when applications have a link to another page.

no-referrer

Report-to

URI where content security violations will be reported.

<internal>

Other directives

More directives to append to the Content Security Policy headers.

-

 

  • Was this article helpful?