The web security service API implements the Content Security Policy (CSP) that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. The CSP defines the Content-Security-Policy HTTP header, which allows you to create a whitelist of sources of trusted content. The CSP instructs the browser to only execute or render resources from those whitelisted sources. This adds a critical security layer when using custom extensions (visualizations and themes) and other functionality in Qlik Cloud Services that rely on external resources.
The web security service API can be used to:
- Create, retrieve, update and delete a CSP entry.
- Retrieve the CSP header for a tenant.
To access the web security service API, you must have an Access Token, which you get from your IdP, or an API key. Include the Access Token or API key in an Authorization header when you make the API request.
CSP is set up on the server and sent to the browser in an HTTP response header to enable the security policy. The CSP HTTP header is mainly a whitelist of domains that the different external resource types can be loaded from. CSP also provides a set of policy directives that enable fairly granular control over the types of resources that a page is allowed to load. Here is a small subset of the directives for resource types:
For a complete list of supported directives, see Managing Content Security Policy.
The HTTP header format is simple. The header itself is called Content-Security-Policy and in it you specify the instructions for the browser, for example:
Content-Security-Policy: default-src 'self'; img-src https://abc.example.com
The CSP in this example will allow loading all content types from the origin serving the document except images, which can only be loaded from https://abc.example.com.
The Qlik Sense stability index indicates how stable or mature an API is. The web security service API has the stability index:
This API is under development. Do not rely on it. It may change or be removed in future versions.