Security and Content Security Policy (CSP)

This page describes how to configure Content Security Policy (CSP) for Net iD Portal. It is intended for administrators who manage the web server or reverse proxy that hosts the portal.

Overview

Net iD Portal is delivered as a web application. The web server or reverse proxy that serves the portal must add a suitable CSP header to the HTTP responses.

The portal GUI does not set the CSP header itself.

CSP is configured in the web or proxy platform you use, for example:

  • IIS site or application configuration

  • Load balancer or application gateway configuration

GUI requirements

From the GUI perspective, CSP must allow the portal to load and run its scripts and styles. In practice, this means:

  • script-src must contain:

    • 'self'

    • 'unsafe-eval'

  • style-src must contain:

    • 'self'

    • 'unsafe-inline'

If these directives are missing or more restrictive, the portal GUI does not work correctly.

If the portal GUI calls an API on another origin (for example when backendUrl points to a different host or path), that origin must be allowed in the connect-src directive.

Example CSP header

The following example shows a soft, but realistic, CSP for the portal:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'unsafe-eval';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data:;
  font-src 'self';
  connect-src 'self';
  object-src 'none';
  base-uri 'self';
  frame-ancestors 'self';

This policy:

  • Allows the portal to load its own scripts and use eval.

  • Allows the portal to load its own styles and use inline styles.

  • Limits images and fonts to the same origin (and data URLs for images).

  • Limits network connections to the same origin.

  • Blocks plug‑in content (object-src 'none').

  • Limits where the page can be embedded (frame-ancestors 'self').

Allowing a separate API origin

If the API is hosted on another origin, extend connect-src so that the browser can call the API.

Example 1. Single API origin
Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'unsafe-eval';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data:;
  font-src 'self';
  connect-src 'self' https://api.example.com;
  object-src 'none';
  base-uri 'self';
  frame-ancestors 'self';

Implementation notes

The exact configuration syntax depends on the platform.

Typical examples:

IIS

Configure the Content-Security-Policy header on the site, application, or directory.

Load balancer or application gateway

Add or override the Content-Security-Policy header in the HTTP response rules.

Make sure only one effective CSP header is sent. If multiple components add a CSP header, the browser uses the most restrictive combination.

Troubleshooting

If the CSP is too strict, the browser may block scripts, styles, or API calls.

Typical symptoms are:

  • The portal GUI does not load or shows a blank page.

  • Actions in the GUI fail without clear error messages.

  • Developer tools show CSP violation errors in the console.

Related information

  • GUI configuration, including backendUrl and other runtime settings, is described on the GUI configuration page.