Skip to main content Skip to complementary content

Managing Content Security Policy (CSP)

Control and manage your Content Security Policy (CSP) in Qlik Cloud to enhance protection against attacks like Cross Site Scripting (XSS) and data injection.

Qlik Cloud uses Content Security Policy (CSP) Level 2, which provides an extra layer of security that helps to detect and mitigate certain types of attacks, including XSS and data injection. These attacks can lead to data theft, site defacement, and malware distribution.

CSP allows tenant admins to control the resources an extension or a theme can load for a given page. Policies typically involve specifying server origins and script endpoints. If an extension or theme contains resource requests to external resources, these origins must be added to the allowlist in the CSP.

For more information, see MDN Web Docs: Content Security Policy (CSP).

Directives

Directives control locations from which certain resource types may be loaded. The following directives are supported:

Directives
Directive Description

child-src

Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.

Use frame-src and worker-src for more specific control.

form-action

Restricts the URLs that can be used as the target of submissions from a given context.

media-src

Specifies valid sources for loading media using the <audio>, <video>, and <track> elements.

style-src

Specifies valid sources for stylesheets.

connect-src

Restricts the URLs that can be loaded using script interfaces.

frame-src

Specifies valid sources for nested browsing contexts using elements such as <frame> and <iframe>.
frame-ancestors Specifies valid sources for embedding the resource using <frame>, <iframe>, <object>, <embed>, and <applet>.

object-src

Specifies valid sources for the <object>, <embed>, and <applet> elements.

Elements controlled by object-src are considered legacy HTML elements and are not recieving new standardized features, such as the security attributes sandbox or allow for <iframe>. It's recommended to restrict this fetch-directive, for example, by explicitly setting object-src 'none' if possible.

worker-src

Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

font-src

Specifies valid sources for fonts loaded using @font-face.

image-src

Specifies valid sources of images and favicons.

script-src

Specifies valid sources for JavaScript.

Qlik Cloud default CSP

Qlik Cloud has a default CSP that includes safe-listed domains. For example, you can use images from the following domains without adding them to your CSP:

  • maps.qlikcloud.com

  • ibasemaps-api.arcgis.com

  • cdn.pendo.io

  • app.pendo.io

  • pendo-static-5763789454311424.storage.googleapis.com

  • data.pendo.io

  • *.gravatar.com *.wp.com *.

  • googleusercontent.com

  • cdn.qlik-stage.com

  • cdn.qlikcloud.com

For a full list of default domains, see Allowlisting domain names and IP addresses.

CSP entries and header limits

The values for maximum number of CSP entries per tenant and maximum number of characters in the CSP header are built-in and cannot be changed.

  • Maximum entries: Up to 256 CSP entries per tenant. If you exceed this, remove redundant entries before adding new ones.

  • Header length: The CSP header can be up to 6,144 characters long. If you exceed this limit, remove redundant entries before adding new ones.

Creating a CSP entry

Do the following:

  1. In the Administration activity center, go to Content Security Policy.
  2. Click Add.
  3. Provide a name.

  4. Enter the origin in one of the following formats:

    • domain.com

    • *.domain.com

    Information noteQlik Sense enforces HTTPS.
  5. Select the applicable directives.

  6. Click Add.

Users must refresh their browser for the changes to take effect.

Editing a CSP entry

Do the following:

  1. In the Administration activity center, go to Content Security Policy.
  2. Find the CSP entry you want to edit, click More, and select Edit.
  3. Change the CSP options as needed.
  4. Click Save.

Users must refresh their browser for the changes to take effect.

Deleting a CSP entry

Do the following:

  1. In the Administration activity center, go to Content Security Policy.

  2. Select the CSP entries you want to remove and click Delete.

  3. Confirm the deletion.

Viewing and copying the CSP header

Do the following:

  1. In the Administration activity center, go to Content Security Policy.
  2. Click View header.
  3. In the dialog, click Copy to clipboard.
  4. Click Done.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!