Hi everyone,
I'm trying to implement Content Security Policy in my application and have encountered some difficulties. I hope you can help me or confirm that it cannot be done in APEX.
I have a clean application without any changes created in APEX 20.2. I have only two pages: Login and Home pages.
I implemented a pretty basic Content Security Policy:
Content-Security-Policy: default-src ‘self’;
in Security Attributes of an application under:
Shared Components -> Security Attributes -> Browser Security -> HTTP Response Headers
Unfortunately, after that, my application does not work correctly because the javascript code generated by APEX is defined in the <script> tags that are blocked by the policy. That code is automatically generated, so I can do nothing about that.
I also cannot use the CSP nonce mechanism because the code is automatically generated and cannot add an attribute to the <script> tag.
The only way that I see right now is adding an 'unsafe-inline' option to the policy, but according to our Security Architects, this will disable the most crucial part of CSP.
Is there anyone here that correctly implemented Content Security Policy in the APEX application and can guide me on what I could do? Or maybe newer versions of APEX allow easier implementations of CSP and the solution is to upgrade to a higher version of APEX?
Thanks in advance.