Content Security Policy Editor

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain kinds of code injection attacks, such as Cross Site Scripting (XSS).

The Content Security Policy editor allows you to provide a secure Developer Portal experience for your customers - with tight control over the content the portal will attempt to consume/integrate. The new gold standard in these regards is "maintaining a robust Content-Security-Policy on your web/application server". Carefully crafting the contract for site content sources serves as a bulwark against XSS attacks.

You will notice, as you begin implementation/customization of your Developer Portal, that the out-of-the-box default policy is very restrictive. This is by design - we want your server to start out with least-privilege for the default behaviors of the core application. When you need to relax a CSP directive, navigate to the Content-Security-Policy editor:
  1. Login to Configuration Manager and click on Zone Settings.

  2. Scroll down to the Portal Settings section and look at your default CSP in the Preview pane.

Default Policy

We ship a very restrictive default policy - only allowing specific assets that we need to drive our own features (example: the opt-in ReCaptcha feature, for quality-gating user registration). As a matter of fact, this 'baseline' policy will always be present in the CSP, even if you choose to completely delete it from your Zone Settings. You don't ever have to worry about your changes impacting our functionality, as the backend will ensure the necessary CSP allowances are in-place.

Refinement

The Mashery Local Developer Portal is a functional, customizable blank-slate for you to foster compelling developer community engagement. As your Developer Portal evolves, you will need to incorporate your brand imagery and/or other assets (potentially hosted elsewhere, from CDNs, or from inside the portal via the ZIP File Asset Ingestion mechanism). You can make any change you want to refine your portal's CSP policy in an intuitive interface.

Directive Support

Currently you have open-ended built-in support for the following ten directives:
default-src script-src img-src font-src style-src
connect-src object-src child-src frame-src media-src

For every directive above, you can:

  • use checkboxes to designate boolean yes/no policy elements
  • add hosts to the directive
  • remove hosts from the directive
  • review your configured CSP
  • live-preview the unsaved/proposed changes to your CSP

Adding Hosts

To add a host/domain to a directive:
  1. Type into the Hosts editor.

  2. Then press TAB.

    Note: At this point, the Preview will reflect your current in-page configuration, but it won't be enforced by the Developer Portal until you click Save.
  3. Click Save.

Removing Hosts

When you want to remove a host from a particular CSP directive, you can simply hover your mouse over the host that you no longer want in the policy - the tag-like bubble will expand and you can click the X on the right side of the host name to remove it from the CSP.

Preview

As you refine your CSP, you will see that the Preview pane is automatically updating to show you what the new policy will look like in the browser.

Testing

When you want to test your policy, simply navigate to any Developer Portal page and you can inspect the Content-Security-Policy header that applies to the requests to the portal domain.
  1. Click the Content Management System Preview button on a content object.

  2. Open the Network debugging tool for your browser and select a call to your portal domain.

You'll find that all Developer Portal pages coming from your cluster will have your chosen policy enforced.