Question

Content Security Policy (CSP) for the App

0

Hi, My app doesn't have any external API endpoints but I use some marketplace modules. I added Content-Security-Policy (CSP) as CSP: default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com https://www.googletagmanager.com https://www.google-analytics.com;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.googleapis.com;img-src 'self' data: https://www.google-analytics.com https://*.gstatic.com https://*.googleapis.com https://*.ggpht.com https://www.google.com;connect-src 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://www.google.com;frame-src 'self' https://www.google.com https://*.googleapis.com; at Environments -> Network -> HTTP Headers section. Is it OK my scripty for CSP? Or is there a security vulnerability?

asked 2025-11-07

AYBERK AKBALIK

1 answers

Johan Flikweert · Answer 1 · 2025-11-07

Hi AYBERK AKBALIK,

First, having a CSP is already more secure than having none, which is also quite common.

✅ Your CSP looks very good, as you only allow safe hosts as origins for scripts and other documents.

The most 'unsafe' parts are 'unsafe-eval' and 'unsafe-inline'. I think you could work this one out, by moving all js out of HTML into its own files. You can read more about that in the Mendix documentation.

Good luck!

Johan Flikweert