Customising CSP headers

security

(Andy Doyle) #1

Hi,

We’ve started adding badges from the VSTS build definitions to the description of our Octopus projects and none of the images would load due to CSP being enabled on our Octopus server.

I know we can get this working by turning CSP off; but we then don’t benefit from any of the security that the content-security-policy header provides.

Is there any way to add custom values to the CSP header set by Octopus? If not, can I make a wish for it in a future version?

Thanks.


(Michael Noonan) #2

Hi Andy,

Thanks for getting in touch! We don’t allow you to customise the CSP header, just enable/disable it. We really added disable as an option in case we broke somebody and they needed a workaround, but we strongly recommend keeping it on in its default format.

I can see the potential value in providing some options to relax certain parts of the CSP, but as it stands, this is the first request we’ve had.

I think the best course of action for both of us right now is to put a suggestion in at https://octopusdeploy.uservoice.com

Hope that helps!
Mike