Applies to: Cloud & Self-Hosted
Audience: Site Administrators
Time: Approximately 10 minutes
This guide explains what Content Security Policy (CSP) is, which Axero platform features it affects, and how to configure it using the ContentSecurityPolicy system property.
ContentSecurityPolicy
Important: Axero does not provide a default Content Security Policy. Each organization is responsible for defining a policy that meets its own security requirements.
Content Security Policy (CSP) is a security standard that controls which external sources your Axero platform can load resources from. If a resource originates from a source that is not in the CSP allowlist, the browser blocks it.
CSP protects against content injection attacks such as Cross-Site Scripting (XSS). Administrators can reduce risk by specifying an allowlist of trusted sources for scripts, stylesheets, images, fonts, and other resources.
The following Axero platform features access external resources and can be affected by your CSP configuration:
Tip: Review each feature above to identify which external domains it requires, then include those domains in your CSP allowlist.
The ContentSecurityPolicy system property allows you to define CSP directives directly through system configuration. Use it to specify which resources are allowed to load and execute on your Axero platform pages.
script-src 'self' https://trusted-source.example.com;
Note: Changes to the ContentSecurityPolicy system property take effect immediately. Test your policy in a staging environment before applying it to production to avoid accidentally blocking required resources.
If your organization embeds the Axero platform inside an iframe on another site (for example, a company portal or dashboard), the browser will block the embed by default. To allow it, add a frame-ancestors directive that lists the embedding domain:
frame-ancestors
frame-ancestors 'self' https://portal.example.com;
Replace https://portal.example.com with the actual URL of the site that will embed your Axero platform in an iframe. You can list multiple domains separated by spaces.
https://portal.example.com
Important: When a Content Security Policy with frame-ancestors is present, modern browsers ignore the X-Frame-Options header. Axero does not set X-Frame-Options by default, but your hosting infrastructure (such as IIS or a reverse proxy) may add it. If your organization relies on X-Frame-Options to control iframe embedding, be aware that adding a CSP with frame-ancestors will override that behavior.
X-Frame-Options
After saving your Content Security Policy, verify that it works as expected.
If you configured frame-ancestors, verify the directive by attempting to embed your Axero platform in an iframe on the allowed domain. If the embed loads successfully, the directive is working. If the browser blocks it, open the browser developer console (F12) and look for a CSP violation error referencing frame-ancestors.
Tip: To test quickly, you can use a free tool such as iframetester.com. Enter your Axero platform URL to confirm whether iframe embedding is allowed or blocked. Add the testing tool's domain to your frame-ancestors directive temporarily during testing, then remove it when finished.
For directives such as script-src or style-src, open the browser developer console (F12) on your Axero platform and look for CSP violation errors. Blocked resources will appear as errors referencing the directive that blocked them. Verify that expected resources load and that no critical platform functionality is broken.
script-src
style-src
For a comprehensive overview of CSP directives and syntax, see the Content Security Policy (CSP) reference on MDN Web Docs.
For practical guidance on implementing CSP to harden your web security, see Improving Web Security with the Content Security Policy on SitePoint.
We are always working to improve our documentation. If you encounter an issue not covered here, or if a step could be clearer, let us know through a Support Case so we can help you and improve this guide for everyone.
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/axero-documentation/wiki/view/80906/content-security-policy-csp
Your session has expired. You are being logged out.