Setting Content-Security-Policy Headers in Datahub Front-end to Prevent XSS

Original Slack Thread

Does anyone know if it’s possible to set the Content-Security-Policy headers in the datahub front-end. We want to limit the posiblilties for XSS.

<@U02QJ0JMQ3V> might be able to speak to this!

<@U05ANL9RHK4> Did you maybe find an answer to set the CSP headers?

No I did set the env variable for secure cookies. AUTH_COOKIE_SECURE. Maybe <@UV5UEC3LN> can still help us?

Play supports doing this through configuration so it is technically possible by mounting a custom application.conf file to your pod/container:

We do have a ticket to have top level support for this so that it doesn’t require as much effort, but it is currently on the backlog and has not been prioritized