Content security policy

Updated
  • Updated on Apr 30, 2025
  • 3 minute(s) read
  • Janeera D A
  • Charulatha Ravichandran
  • Pradeep Srinivasan
 Prev Next

Plans supporting Content security policy in the knowledge base site

Professional
Business
Enterprise






Content Security Policy (CSP) is a security related feature which helps to manage and prevent the external CSS, scripts, and frames embedded in your Knowledge base. When the content security policy is enabled in the project, the Content-Security-Policy response header will be added to the request header with the default allowed domains for each source. It restricts the resource loading from external domains and allows resources only from the configured list of domains for each source.

Enable the content security policy

image.png

  1. Navigate to Settings () in the left navigation bar in the Knowledge base portal.

  2. In the left navigation pane, navigate to Users & security > Security.

  3. Turn on the Enable content security policy toggle.

  4. You can find the following source fields:
    a. Style source
    b. Script source
    c. Frame source.

  5. Type in the desired domain URLs in the respective fields.

  6. Click Save.

NOTE

  • The character limit for each limit is 5000.

  • Use commas (,) to separate the URLs.

  • Keep the URLs in the following format: https://example.com.

a. Style source

In the Style source field, you can define the valid sources of stylesheets that can be applied to your Knowledge base. Configuring the style sources will prevent malicious styles from being used to execute Cross-Site Scripting (XSS) attacks on your Knowledge base.

  • Type the domain URLs of stylesheet sources in this field.

  • All the stylesheets from other URLs will be restricted.

NOTE

Ensure that you have added Nonce attribute placeholder in all custom HTML script sections.

Example: <Script nonce='{{Document360-Nonce}}'>

b. Script source

In the Script source field, you can define the valid sources of JavaScript codes that can be executed on your Knowledge base. This helps to prevent malicious JavaScript code from being executed, even if it has been injected into the Knowledge base by an attacker.

  • Type the domain URLs of Javascript sources in this field.

  • All the JavaScript codes from other URLs will be restricted.

c. Frame source

In the Frame source field, you can define the valid sources of frame elements like <frame> and <iframe> that can be embedded in your Knowledge base.

  • Type the domain URLs of frame sources in this field.

  • All the frames from other URLs will be restricted.

Testing your content security policy settings

After setting up your CSP, it’s important to verify that the settings are working as expected. To check if the content security policy has been applied correctly:

  1. Open the Network tab in your browser's developer tools.

  2. Visit your knowledge base and review the response headers for the CSP.

  3. Alternatively, you can use online tools like securityheaders.com to verify if your website has the correct Content-Security-Policy headers set.

FAQs

Why is my video showing as "This content is blocked" in one article but not another?

This issue typically occurs due to Content Security Policy (CSP) settings in Document360. The video might not be allowed by the current CSP settings. Different articles might have different CSP settings. Ensure that the video source is allowed in the CSP settings for all articles where the video needs to be displayed.

How can I resolve the issue of a blocked video in my article?

To fix this,

  1. Navigate to Settings () in the left navigation bar in the Knowledge base portal.

  2. In the left navigation pane, navigate to Users & security > Security.

  3. Under Enable content security policy section, add the video source (e.g., https://www.youtube.com/) to the "Frame source" list and click Save.

Why does my CSP validation indicate that CSP is missing in the response header?

In Document360, the Content Security Policy (CSP) is implemented using meta elements rather than the response header. If you validate CSP by inspecting the response header, it will appear as though CSP is missing or inactive.

To confirm that CSP is enabled on your Knowledge base site, follow these steps:

  1. Open your Knowledge base site in a browser.

  2. Right-click anywhere on the webpage and select View page source.

    The page's source code will appear.

  3. Use the search function (Ctrl + F on Windows or Cmd + F on Mac) and look for the term “Content-Security-Policy”.

  4. If the term “Content-Security-Policy” is found, the CSP configuration will appear as the code following this term.

By validating through the meta element in the page source, you can confirm that CSP is enabled for your Knowledge base site.

Can I allow specific domains to embed my Knowledge Base?

Yes, you can specify the allowed domains in the Frame source of content security policy setting.

Can I add a private project within an iframe?

No, private projects cannot be embedded in an iframe.

Authentication cookies aren’t set correctly inside iframes, leading to repeated login attempts and redirect errors. For security reasons, cookie settings cannot be relaxed.

Use a knowledge base widget instead if you need to embed the knowledge base in another application.

Related articles