Currently, Solution Owners and Administrators configure the Content-Security-Policy (CSP) by specifying a Custom Header in the web.config file.
From this latest version of MooD, users will need to configure the CSP from within the Active Enterprise Settings, under the "Security" tab.
These changes provide the following benefits:
- The Content-Security-Policy can now be applied to Web Preview, improving the security for Business Architect users
- The Content-Security-Policy is managed in one place
- The policy is saved in the Repository, making it more portable
Where a site specific CSP has been declared in the web.config file, the user will now need to save the value in Active Enterprise settings, as below, and remove the CSP header from the web.config file:
When changing these settings, any models already open in Web Preview will need to be refreshed twice for the new value to take affect.
Note: the value which is entered in Active Enterprise Settings will not be parsed or validated, it is the responsibility of the Solution Builder/Administrator to ensure that the policy they specify is valid and achieves the desired outcome.
Resources can be found online to assist with this:
- Use the IIS URLRewrite Module to add the header, only for the affected routes,
- Revert to specifying the CSP as a Custom Header in the web.config file,
- In the web.config file, set the configuration to handle all requests as managed (this option will result in a performance hit):