Enhance CSP documentation #9959
Conversation
Robinfr
commented
Aug 11, 2025
Robinfr
commented
- Add Headers custom runtime setting recommendations for nonce-based CSP
- Add CSP support section for Java request handlers
- Include CspHelper API documentation and code examples
- Provide best practices and common issue solutions for CSP implementation
- Update cloud deployment methods with clear recommendations
- Add Headers custom runtime setting recommendations for nonce-based CSP - Add CSP support section for Java request handlers - Include CspHelper API documentation and code examples - Provide best practices and common issue solutions for CSP implementation - Update cloud deployment methods with clear recommendations
|
Needs internal review |
| CSP support is only relevant for request handlers that serve static content such as HTML pages, not for API endpoints that return JSON or other data formats. | ||
| {{% /alert %}} | ||
| This section describes how to properly handle CSP headers in your Java request handlers when serving HTML content. |
There was a problem hiding this comment.
I am missing a small explanation about what nonces are and how they work (and maybe a link to mdn would be nice)
There was a problem hiding this comment.
I'm not exactly sure where I would put a link to MDN in this documentation? I don't want to elaborate on nonces too much to be honest. If you need to know what they are when reading this, you likely shouldn't be reading this documentation since that is an advanced topic.
There was a problem hiding this comment.
I agree that an explanation is too much, the point I was trying to make is that nonces are not introduced at all. Maybe the sentence at line 179 can be extended with:
If you are developing Marketplace modules or custom Java actions that include request handlers, you may need to implement CSP support to ensure compatibility with strict CSP policies. Nonces can be implemented to securely allow necessary inline scripts and styles while maintaining robust content security.
| * `getTemplate()` - Get the template used for the Content-Security-Policy header value | ||
| * `getNonce(IMxRuntimeResponse response)` - Get the generated nonce of the current HTTP response | ||
| * `hasNonce(IMxRuntimeResponse response)` - Returns true if the configured CSP template contains the `{{ NONCE }}` placeholder |
There was a problem hiding this comment.
It would be nice to explicitly show an example of what the CSP template should look like above. This is a bit vague if you read it for the first time.
Something like: In order to make use of nonces, configure a custom CSP template as follows:
Content-Security-Policy: script-src 'nonce-{{ NONCE }}'
| html.append("</head>\n"); | ||
| html.append("<body>\n"); | ||
| html.append(" <h1>Your Module Content</h1>\n"); |
There was a problem hiding this comment.
I think this this example is a bit confusing due to the usage of "Module", it makes me think of Mendix modules. Furthermore, it would be nice to make the example a bit more realistic and give a small description what it does.
There was a problem hiding this comment.
That was the point, this is usually something you would do in a module. The code looks pretty self-explanatory to be honest? 😅 Which part is not clear?
There was a problem hiding this comment.
As discussed the example should be clear enough
|
|
||
| There are two ways to enable the header in the Cloud: | ||
|
|
||
| 1. Using the [Headers](/refguide/configuration/#headers) custom runtime setting (Recommended ✅). Use this if you need nonce-based CSP support. You can configure this in the Developer Portal under [Custom Runtime Settings](/developerportal/deploy/environments-details/#custom-runtime-settings). |
There was a problem hiding this comment.
I would move this above. Also the custom runtime settings don't mention the CSP header.
There was a problem hiding this comment.
It was at the bottom before that's why I left it there. Where would you like me to move it to?
The custom runtime setting I indeed forgot to document, added it now.
There was a problem hiding this comment.
I think it can stay here indeed
|
@Robinfr Please let me know when the technical verification is done and when it's ready for tech writer's review. |
