API Connect

 View Only

The CSP configuration for IBM API Connect portal site

By Saber Hamidi posted Mon June 10, 2024 12:30 PM


Content Security Policy (CSP)

Content Security Policy (CSP) is a security feature designed to protect web applications from various types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. CSP works by allowing web administrators to define the sources of content that browsers are permitted to load. Our portal sites have the Content Security Policy module enabled by default but the Enforced Mode is not supported because this will stop our CSS styling and scripts from loading which breaks core Developer Portal functionality such as API rendering and the content editor. Thus we recommend the "Report only" mode.  You can make changes to the Content Security Policy setting for the sites by following the steps below;

1: Login as admin to the site.

2: Navigate to Manage >> Configuration >> System >> Content Security Policy

3: Then click on the "Enforced" tab and make sure "Enable Enforced" is unchecked

We had issues raised by some customers reporting that their APIs are not getting rendered while they have not enabled the Enforced mode in their site's CSP configuration, however, when we investigated some CSP policies were Enforced at the load balancer level; 

HTTP::header replace "Content-Security-Policy: default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"

This setting had the same effect as the Enforced mode of the CSP module and resulted in the same issue. Thus we recommend not enforcing the above policies also at the load balancer level to keep the sites fully functional. 

#APIConnect #developerportal #portal #drupal