Enabling CSP headers and defining allowlists

Content Security Policy (CSP) is an HTTP response security header that developers and security architects can use to create lists of domains from which the site can load resources and executable scripts. In WorldServer, you can configure such lists of allowed domains in CSP headers in the general.properties file.

About this task

Usually, the allowed domains are those from which WorldServer consumes data or those it communicates with, such as JasperReports Server or Online Editor. For more information, see the Mozilla developer documentation.

Procedure

  1. Go to the path where the WorldServer configuration files are stored.
  2. Open the general.properties file with a text editor.
  3. Add the following properties:
    • enable_csp_protection=true
    • csp_whitelisted_domains=<list-of-domains>
    Separate the allowed domains with commas. The list of allowed domains is used only when CSP protection is enabled.
  4. Save and close the general.properties file.