Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Nevena Nikolic 5 posts 25 karma points
    Sep 29, 2017 @ 09:02
    Nevena Nikolic

    Hello everyone,

    we are trying to implement security headers on our website and one of them is Content-Security-Policy. I started adding sources that we trust, but i am having issues opening umbraco back office because it's trying to execute inline scripts.

    Also issue that i faced is that if i try putting hash value i always get "new one" it' looks like script is "generated" on the file, or there are 10+ scripts that are printed end executed inline.

    Is there any easy workaround for this issue that we are facing?

    Kind Regards

  • Sebastiaan Janssen 4898 posts 14647 karma points MVP admin hq
    Sep 30, 2017 @ 10:06
    Sebastiaan Janssen

    I wrote about this in depth here:

    Basically you need to ignore umbraco paths like so:

     <location path="umbraco">
       <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
         <remove name="X-Frame-Options" />
         <add name="X-Frame-Options" value="SAMEORIGIN" />
         <remove name="Content-Security-Policy" />
         <add name="Content-Security-Policy" value="default-src 'self' *;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;font-src 'self';" />
  • Gary 80 posts 377 karma points
    Oct 28, 2019 @ 14:24

    Hi Sebastiaan,

    Do you have an updated link? It seems that the link now goes to default Umbraco installation screen.

    Thank you :)

    Kind Regards,


  • Nevena Nikolic 5 posts 25 karma points
    Oct 03, 2017 @ 13:05
    Nevena Nikolic

    Hi Sebastiaan,

    this worked thank you a lot!

Please Sign in or register to post replies

Write your reply to: