Content-Security-Policy

Jason He Updated by Jason He

DeskDirector server 19.65.x now supports Content Security Policy. Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, include Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

Attacks that can be blocked with Content Security Policy

  • Clickjacking, by defining rule for Content Security Policy (CSP) frame-ancestors directive, web application can defend against clickjacking attack.
  • Cross-Site Scripting (XSS), Content Security Policy can define executable JavaScript scripts, avoid unknown scripts been loaded. DeskDirector's server only allows script from our own CDN location.

By default, the Content Security Policy header is always returned in server 19.66.x.

Default Setup

DeskDirector server provides a default value for Content Security Policy to assist in achieving best security practices. You can only alter the frame-ancestors for default CSP directives.

The director frame-ancestors allows you to define which website can embed the DeskDirector web application. You do not need to alter this unless you want to embed client portal in your website. The valid value for frame-ancestors can be domain such as https://www.example.org or wildcard domain, such as https://*.example.org.

Custom Setup

While DeskDirector server does allow custom CSP directives, we restrict this capability to support specific scenarios. Access to extra settings, and such capability is only provided through consulting, if you have purchased the platinum package. The CSP directives have been designed and signed off by senior developers at DeskDirector because an incorrect value could cause the application to fail.

How did we do?

Cross-Origin Resource Sharing (CORS)

Contact