Enhance CSP documentation #9959

Robinfr · 2025-08-11T11:34:12Z

Add Headers custom runtime setting recommendations for nonce-based CSP
Add CSP support section for Java request handlers
Include CspHelper API documentation and code examples
Provide best practices and common issue solutions for CSP implementation
Update cloud deployment methods with clear recommendations

- Add Headers custom runtime setting recommendations for nonce-based CSP - Add CSP support section for Java request handlers - Include CspHelper API documentation and code examples - Provide best practices and common issue solutions for CSP implementation - Update cloud deployment methods with clear recommendations

Robinfr · 2025-08-11T11:34:19Z

Needs internal review

brambrink · 2025-08-12T11:16:19Z

content/en/docs/howto/security/csp.md

+CSP support is only relevant for request handlers that serve static content such as HTML pages, not for API endpoints that return JSON or other data formats.
+{{% /alert %}}
+
+This section describes how to properly handle CSP headers in your Java request handlers when serving HTML content.


I am missing a small explanation about what nonces are and how they work (and maybe a link to mdn would be nice)

I'm not exactly sure where I would put a link to MDN in this documentation? I don't want to elaborate on nonces too much to be honest. If you need to know what they are when reading this, you likely shouldn't be reading this documentation since that is an advanced topic.

I agree that an explanation is too much, the point I was trying to make is that nonces are not introduced at all. Maybe the sentence at line 179 can be extended with:

If you are developing Marketplace modules or custom Java actions that include request handlers, you may need to implement CSP support to ensure compatibility with strict CSP policies. Nonces can be implemented to securely allow necessary inline scripts and styles while maintaining robust content security.

I've added a short introduction to nonces referencing CSP level 2

content/en/docs/howto/security/csp.md

OlufunkeMoronfolu · 2025-08-14T11:56:47Z

@Robinfr Please let me know when the technical verification is done and when it's ready for tech writer's review.

brambrink · 2025-08-15T14:41:33Z

Hey @OlufunkeMoronfolu, it is ready for tech writer's review.

OlufunkeMoronfolu self-assigned this Aug 11, 2025

OlufunkeMoronfolu added the Internal WIP label Aug 11, 2025

brambrink suggested changes Aug 12, 2025

View reviewed changes

OlufunkeMoronfolu added the Needs R&D technical verification label Aug 13, 2025

QA: Clarified a few things + documented Headers custom runtime settings

3726fdf

Added short introduction to nonces referencing CSP level 2

dcd7475

brambrink approved these changes Aug 15, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Enhance CSP documentation #9959

Enhance CSP documentation #9959

Uh oh!

Robinfr commented Aug 11, 2025

Uh oh!

Robinfr commented Aug 11, 2025

Uh oh!

brambrink Aug 12, 2025

Uh oh!

Robinfr Aug 14, 2025

Uh oh!

brambrink Aug 15, 2025

Uh oh!

Robinfr Aug 15, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

OlufunkeMoronfolu commented Aug 14, 2025

Uh oh!

brambrink commented Aug 15, 2025

Uh oh!

Uh oh!

Enhance CSP documentation #9959

Are you sure you want to change the base?

Enhance CSP documentation #9959

Uh oh!

Conversation

Robinfr commented Aug 11, 2025

Uh oh!

Robinfr commented Aug 11, 2025

Uh oh!

brambrink Aug 12, 2025

Choose a reason for hiding this comment

Uh oh!

Robinfr Aug 14, 2025

Choose a reason for hiding this comment

Uh oh!

brambrink Aug 15, 2025

Choose a reason for hiding this comment

Uh oh!

Robinfr Aug 15, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

OlufunkeMoronfolu commented Aug 14, 2025

Uh oh!

brambrink commented Aug 15, 2025

Uh oh!

Uh oh!