Configure a content security policy (CSP) for all pages in your portal to
protect against cross-site scripting (XSS) and other code-injection attacks. The
CSP defines trusted sources for content such as scripts, styles, and images.
After configuring a policy, content loaded from untrusted sources will be
blocked by your browser.
The CSP is added as a Content-Security-Policy HTTP response header to all
pages in your portal, as follows:
If you enable the CSP header, by default the following CSP directive is defined:
default-src 'unsafe-eval' 'unsafe-inline' * data:
The default-src directive configures the default policy for
resource types that do not have a configured directive.
The following table describes the policies defined as part of the default directive.
Policy
Access
'unsafe-inline'
Inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. Note: You must enclose the policy in single quotes.
'unsafe-eval'
Unsafe dynamic code evaluation such as JavaScript eval() and similar methods used to create code from strings. Note: You must enclose the policy in single quotes.
* (wildcard)
Any URL except data:, blob:, and filesystem: schemes.
data:
Resources loaded via the data scheme (for example, Base64-encoded images).
The following provides examples of configuring the CSP to restrict specific resource types.
Policy
Access
default-src 'none'
No access for resource types that do not have a configured directive.
img-src *
Image URL from any source.
media-src https://example.com/
Video or audio URL over HTTPS from the example.com domain.
script-src *.example.com
Execution of any script from a subdomain of example.com.
style-src 'self' css.example.com
Application of any style from the site's origin or the css.example.com domain.
To configure a content security policy:
Cloud Console UI
In the Apigee in Cloud console, go to the Distribution > Portals page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis page details how to configure a Content Security Policy (CSP) for Apigee and Apigee hybrid portals to guard against cross-site scripting (XSS) and code-injection attacks.\u003c/p\u003e\n"],["\u003cp\u003eThe CSP, added as a \u003ccode\u003eContent-Security-Policy\u003c/code\u003e HTTP response header, defines trusted sources for content and uses directives like \u003ccode\u003edefault-src\u003c/code\u003e, \u003ccode\u003eimg-src\u003c/code\u003e, and \u003ccode\u003escript-src\u003c/code\u003e to manage access.\u003c/p\u003e\n"],["\u003cp\u003eBy default, enabling CSP sets the \u003ccode\u003edefault-src\u003c/code\u003e directive to allow \u003ccode\u003e'unsafe-eval'\u003c/code\u003e, \u003ccode\u003e'unsafe-inline'\u003c/code\u003e, \u003ccode\u003e*\u003c/code\u003e, and \u003ccode\u003edata:\u003c/code\u003e, but you can modify this for more specific access control.\u003c/p\u003e\n"],["\u003cp\u003eTo configure the CSP, you must navigate through the portal's settings under the Security tab and enable the content security policy.\u003c/p\u003e\n"],["\u003cp\u003eYou can revert to the default CSP settings at any time by clicking the "Restore default" button.\u003c/p\u003e\n"]]],[],null,["# Configure a content security policy\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\n\u003cbr /\u003e\n\nConfigure a content security policy (CSP) for all pages in your portal to\nprotect against cross-site scripting (XSS) and other code-injection attacks. The\nCSP defines trusted sources for content such as scripts, styles, and images.\nAfter configuring a policy, content loaded from untrusted sources will be\nblocked by your browser.\n\nThe CSP is added as a `Content-Security-Policy` HTTP response header to all\npages in your portal, as follows:\n\n`Content-Security-Policy: `*policy*\n\nYou define the policy using directives, as defined in\n[Content Security Policy Directives](https://www.w3.org/TR/CSP3/#csp-directives) in the W3C site.\n\nIf you enable the CSP header, by default the following CSP directive is defined:\n\n`default-src 'unsafe-eval' 'unsafe-inline' * data:`\n\nThe `default-src` directive configures the default policy for\nresource types that do not have a configured directive.\n| Apigee recommends that you define a default directive as part of the CSP to configure the minimum restrictions.\n\nThe following table describes the policies defined as part of the default directive.\n\nThe following provides examples of configuring the CSP to restrict specific resource types.\n\nTo configure a content security policy: \n\n### Cloud Console UI\n\n1. In the Apigee in Cloud console, go to the **Distribution \\\u003e Portals** page.\n\n [Go to Portals](https://console.cloud.google.com/apigee/portals)\n2. Click your portal.\n\n3. Click **Settings** in the navigation menu.\n\n4. Click the **Security** tab.\n\n5. Click **Enable content security policy**.\n\n6. Configure the CSP or leave the default.\n\n7. Click **Save**.\n\n### Classic UI\n\n1. Select **Publish \\\u003e Portals** and select your portal.\n2. Select **Settings** in the drop-down menu in the top navigation bar.\n3. Alternatively, click **Settings** on the portal landing page.\n4. Click the **Security** tab.\n5. Click **Enable content security policy**.\n6. Configure the CSP or leave the default.\n7. Click **Save**.\n\nYou can restore the default CSP policy at any time by clicking **Restore default**."]]
