Set Content-Security-Policy by default for API Developer Portal 3.5

Idea created by Mark.ODonohue Employee on Jun 27, 2018
    • EuniceTey82357310
    • Mark.ODonohue

    A security requirement came up in one clients setup.   The penetration test required API Portal server to return a "Content-Security-Policy" header.   The default API Portal install does not have one. 


    Some references :  


    Implementing on api portal 3.5 : 

    On the api portal 

    in /etc/httpd/conf 


    Start with basic Security Policy : 

    Header set Content-Security-Policy "default-src 'self';" 


    Then restart Apache httpd server. 


    Then via access api portal using Chrome browser with console open, and it will give an error for each operation or access that does not comply with the security policy.  We then added extra policy for all the ones we found, and restarted the httpd service again and retested until there were no more security exceptions. 


    For example: use of api-explorer needed 'unsafe-eval'; and if analytics were enabled access was required to content from



    Our final working Content-Security-Policy  for API Portal 3.5  was :

    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: ;"



    But it would be good if this, or similar policy was set by default in API Portal 3.5 install:


    Cheers - Mark