Skip to main content

Managing the Applications Lifecycle

 

OutSystems

Apply Content Security Policy

To protect against a growing number of attacks on the Web, use the Content Security Policy (CSP) against code injection attacks in applications developed with OutSystems. CSP basically provides a standard way of declaring approved origins of content that browsers are allowed to load.

CSP is configured using directives that are sent to browsers in specific HTTP headers. This way, when browsers run pages of your applications, they know from which location and/or which type of resources to load.

It is advisable that you configure the CSP in every environment. Start with the allowed sources in an environment, for all its applications. Then, specify the sources per application, as needed, to override the general configuration.

The CSP configuration works for both web and mobile applications developed with OutSystems.

To configure the CSP in all environments, use the management console of your infrastructure (LifeTime):

  1. Go to the Infrastructure section to see all environments;
  2. In an environment, select the Environment Security option;
  3. Enable CSP;
  4. Configure directives, with one value per line.

To configure CSP for an application:

  1. Also in LifeTime, select the Applications section, and then the application;
  2. Select the Security Settings option;
  3. In the drop list, select the environment to which the settings will apply;
  4. Enable CSP;
  5. Configure directives, with one value per line.

If you don’t have LifeTime installed, configure CSP in each environment using its management console (Service Center):

  1. In the Administration section, select the Security option;
  2. Enable CSP;
  3. Configure directives, with one value per line.

To configure CSP for an application:

  1. Select the Factory section and then the application
  2. Select the Security tab;
  3. Enable CSP;
  4. Configure directives, with one value per line;

Once CSP is set, you can monitor the blocked resources using the management console of the environment (Service Center):

  1. Go to the Monitoring section and select the Errors option;
  2. Set the eSpace filter to CSPReport to only see the resources blocked by CSP.

When configuring CSP take into account the following risks of misconfiguration:

  • Missing policies: Make sure you configure policies that allow all sources used in your applications. Otherwise, users may stumble upon things like videos that are not shown or CSSs that are not applied.

  • Too permissive policies: Be especially cautious when allowing resources to be loaded from everywhere (by using * in the domain list). Hackers may take advantage of links, scripts, or other resources in your applications to redirect users to malicious pages.

Directives reference

The list of available directives to configure Content Security Policy in OutSystems is described in the table below.

Directive Reason Default values
Base-uri The domains which can be used as base URL for applications screens.
The following source expressions are allowed: self.
self
Child-src The domains which applications are allowed to embed framed.
The following source expressions are allowed: self and *.
self
Connect-src The domains from which applications are allowed to load resources using script interfaces.
The following source expressions are allowed: self and *.
self
Default-src The domains from which applications are allowed to load resources, by default.
Any resource type dedicated directive (like object-src or img-src) that is not defined will inherit this configuration.
The following source expressions are allowed: self, data: and *.
self
Font-src The domains from which applications are allowed to load fonts.
The following source expressions are allowed: self, data: and *.
self
data:
Img-src The domains from which applications are allowed to load images.
The following source expressions are allowed: self, data: and *.
self
data:
Media-src The domains from which applications are allowed to load media files.
The following source expressions are allowed: self, data: and *.
-
Object-src The domains from which applications are allowed to load objects (for <object>, <embed> and <applet> elements).
The following source expressions are allowed: self and *.
-
Plugin-types The valid plugins that the user browser may invoke -
Script-src The domains from which applications are allowed to load scripts.
The following source expressions are allowed: self, data: and *.
self
Style-src The domains from which applications are allowed to load styles.
The following source expressions are allowed: self, data: and *.
self
Frame-ancestors The domains which are allowed to embed applications in a frame.
The following source expressions are allowed: self and *.
self
Referrer The information that will be included in the referrer header when applications have a link to another page. no-referrer
Report-to URI where content security violations will be reported. <internal>
Other directives More directives to append to the Content Security Policy headers. -
  • Was this article helpful?