Content Security Policy
This header helps to prevent code injection attacks like cross-site scripting and click-jacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets etc. from the same domain that served the HTML referencing of the resources. You won't be able to include external scripts from CDNs and similar.
This subsection discusses the settings related to the content security policy for the SigningHub Admin, Web, and Mobile Web.
Configure the "Content Security Policy" parameters in SigningHub Global Settings
- Click the "Configurations" option from the left menu.
- Click the "Global Settings" option.
- Global Settings will appear, select the "Content Security Policy" option from the top right drop down.
- Configure these settings as required and click the "Save" button from the screen bottom. For any changes to come in effect, a restart of the website is required after changes in the Content Security Policy.
See the below table for fields description.
Content Security Policy |
|
Fields |
Description |
Admin Content Security Policy |
Specify the Content Security Policy for the SigningHub Admin. By default, the value for this field will be fetched from the database but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters. The default value for this field will be "form-action 'none'; base-uri 'self'; frame-ancestors 'none'; default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; object-src 'none'; script-src 'self' ;" |
Web Content Security Policy |
Specify the Content Security Policy for the SigningHub Web. By default, the value for this field will be fetched from the database but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters. The default value for this field will be "object-src 'none'; default-src 'self' https://client.go-sign-desktop.com:8782/gosign-desktop ; connect-src 'self' https://graph.microsoft.com/v1.0/ https://dc.services.visualstudio.com/v2/track https://client.go-sign-desktop.com:8782 https://web.signinghub.com/adss/gosign/handler https://client.go-sign-desktop.com:8782/gosign-desktop ws://web.signinghub.com/; child-src 'self' https://docs.google.com/picker https://client.go-sign-desktop.com:8782/gosign-desktop https://accounts.google.com https://api.taxamo.com/ https://c.taxamo.com/ https://p.taxamo.com/ https://www.google.com/ ; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://az416426.vo.msecnd.net/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ http://apis.google.com https://docs.google.com/picker https://js.live.net https://www.google-analytics.com https://bat.bing.com https://www.googleadservices.com https://client.go-sign-desktop.com:8782/gosign-desktop https://web.signinghub.com https://api.taxamo.com/js/v1/taxamo.all.js https://graph.microsoft.com/v1.0/ ; style-src 'self' 'unsafe-inline'; img-src 'self' * data: blob:;" |
Mobile Web Content Security Policy |
Specify the Content Security Policy for the SigningHub Mobile Web. By default, the value for this field will be fetched from the database but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters. The default value for this field will be "object-src 'none'; default-src 'self' ;connect-src 'self' [%SigningHub_SigningHub.MobileWeb_URL%] [%SigningHub_API_URL%] ; child-src 'self' https://docs.google.com/picker https://accounts.google.com https://content.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://apis.google.com https://docs.google.com/picker https://web.signinghub.com https://bat.bing.com https://www.googleadservices.com; style-src 'self' 'unsafe-inline';font-src * data:; img-src 'self' * data: blob:;: |
https://client.localmiddleware.be:20202/version https://client.localmiddleware.be:20202/status https://client.localmiddleware.be:20202/events https://client.localmiddleware.be:20202/session https://client.localmiddleware.be:20202/eID/signingSession https://client.localmiddleware.be:20202/eID/id https://client.localmiddleware.be:20202/eID/nonRepudiationCertificate https://client.localmiddleware.be:20202/eID/citizenCertificate https://client.localmiddleware.be:20202/eID/rootCertificate https://client.localmiddleware.be:20202/eID/signRsa
https://api.taxamo.com/js/v1/taxamo.all.js
|
See Also
- General
- Service Plan
- Default Locale
- Session and Links Expiry Time
- Default Connectors
- Alerts
- Default Password Policy
- License Alert Setting
- Bulk Actions
- Core Settings
- Analytics Tracking Codes