Content-Security-Policy

Jason He Updated by Jason He

DeskDirector server 19.65.x now supports Content Security Policy. Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, include Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

Attacks that can be blocked with Content Security Policy

  • Clickjacking, by defining rule for Content Security Policy (CSP) frame-ancestors directive, web application can defend against clickjacking attack.
  • Cross-Site Scripting (XSS), Content Security Policy can define executable JavaScript scripts, avoid unknown scripts been loaded. DeskDirector's server only allows script from our own CDN location.

By default, the Content Security Policy header is always returned in server 19.66.x.

Default Setup

DeskDirector server provides a default value for Content Security Policy to assist in achieving best security practices. You can only alter the frame-ancestors for default CSP directives.

The director frame-ancestors allows you to define which website can embed the DeskDirector web application. You do not need to alter this unless you want to embed client portal in your website. The valid value for frame-ancestors can be domain such as https://www.example.org or wildcard domain, such as https://*.example.org.

Custom Setup

DeskDirector server does allow custom CSP directives, such capability is there to support special scenarios. We do not provide any interface on such setting, and such capability is only provide through consulting if you have purchased platinum package. Since the CSP directives has to be designed and signed off by DeskDirector senior developers, any incorrect value could cause web application to not functional.

How did we do?

Cross-Origin Resource Sharing (CORS)

Contact