Configure a content security policy
This pageapplies toApigee andApigee hybrid.
View Apigee Edge documentation.
Configure a content security policy (CSP) for all pages in your portal toprotect against cross-site scripting (XSS) and other code-injection attacks. TheCSP defines trusted sources for content such as scripts, styles, and images.After configuring a policy, content loaded from untrusted sources will beblocked by your browser.
The CSP is added as aContent-Security-Policy HTTP response header to allpages in your portal, as follows:
Content-Security-Policy:policy
You define the policy using directives, as defined inContent Security Policy Directives in the W3C site.
If you enable the CSP header, by default the following CSP directive is defined:
default-src 'unsafe-eval' 'unsafe-inline' * data:
Thedefault-src directive configures the default policy forresource types that do not have a configured directive.
The following table describes the policies defined as part of the default directive.
| Policy | Access |
|---|---|
'unsafe-inline' | Inline resources, such as inline<script> elements,#"no" dir="ltr"><style> elements.Note: You must enclose the policy in single quotes. |
'unsafe-eval' | Unsafe dynamic code evaluation such as JavaScripteval() and similar methods used to create code from strings.Note: You must enclose the policy in single quotes. |
* (wildcard) | Any URL exceptdata:,blob:, andfilesystem: schemes. |
data: | Resources loaded via the data scheme (for example, Base64-encoded images). |
The following provides examples of configuring the CSP to restrict specific resource types.
| Policy | Access |
|---|---|
default-src 'none' | No access for resource types that do not have a configured directive. |
img-src * | Image URL from any source. |
media-src https://example.com/ | Video or audio URL over HTTPS from theexample.com domain. |
script-src *.example.com | Execution of any script from a subdomain ofexample.com. |
style-src 'self' css.example.com | Application of any style from the site's origin or thecss.example.com domain. |
To configure a content security policy:
In the Apigee in Cloud console, go to theDistribution > Portals page.
Click your portal.
ClickSettings in the navigation menu.
Click theSecurity tab.
ClickEnable content security policy.
Configure the CSP or leave the default.
ClickSave.
You can restore the default CSP policy at any time by clickingRestore default.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.