Content-Security-Policy header | HCL Digital Experience

The Content-Security-Policy header allows an allowlist of trusted sources to be created that instructs the browser to only execute or render resources included in the list.

Note: The header is defined for each page and will be included on every response sent to the browser.
For example:
Content-Security-Policy: script-src 'self'
The Content-Security-Policy header instructs the browser to allow resources from this site or It also throws an error, like the one below, if it tries to load script from any other source.
Content-Security-Policy header
Below are some of the resource directives which can be included on the Content-Security-Policy header:
Serves as a fallback for other directives.
Controls script-related privileges.
Defines the origins from which images can be loaded.
Controls style-related privileges.
Specifies a URL where a browser will send reports when a content security policy is violated.
Note: There are several directives, but this list represents the ones implemented in DX.
The source list accepts four keywords:
Matches nothing.
Matches the current origin, but not subdomains.
Allows inline Javascript and CSS.
Allows text-to-Javascript mechanisms like eval.
For example:
Content-Security-Policy: script-src 'self'