a way to split/branch Content Security Policy configuration


Hi guys, 

We're a large corp with different business units, using the same OutSystems platform.

Currently, we can only have 1 single Content Security Policy configuration per environment in OutSystems. This is extremely hard to maintain, as each change impacts all applications in the platform.

We would love to get the option to branch out CSP configuration (for example in different "profiles") so that we can choose which frontend application uses which of the CSP configuration branches.

Currently, we're forced to disable CSP, due to the lack of this functionality.

Additionally: the option to have CSP in "report only" mode would also be extremely useful. Currently it seems like it's either "blocking" or "off".



Created on 11 Jun 2018
Comments (5)

Changed the category to Install Processes

Changed the category to Backend

Hi Joris,

In the application screen, under the security tab you should be able to add CSP configurations that will only be applied to that application.

Can you explain your use case to need report-only?

Olá Hélder, 

Thanks for your reply. We didn't know about the specific CSP profiles per application.

How do these profiles relate to the platform-wide ones? Will they both be applied to the application, or will the application-specific CSP profile win from the platform wide one, in case there is a specific one?

Regarding the report-only option: as traffic in production is often less predictable than non-prod environments, we would like to dry-run CSP changes for a while in production. Only after validation of the violation reports, we would enforce the rule. This process allows us to have less/no unexpected loss of functionality in production.


I believe the application-specific CSP profile will win over the environment one. Either way, I advise you to confirm this on your dev environment. 

You can see here how to configure it in LifeTime and ServiceCenter