Content Security Policy

The Content Security Policy (CSP) settings allow administrators to define security rules that control which resources can be loaded by SigningHub Admin and Web applications. By restricting the sources for scripts, styles, images, and other content, CSP helps protect against code injection attacks such as cross-site scripting (XSS) and clickjacking. This page enables you to configure and customise CSP values for Admin and Web (not Mobile Web) deployments to align with your security requirements.

Configure the 'Content Security Policy' parameters in Global Settings

  1. Click the 'Configurations' option from the navigation panel.

  2. Click the 'Global Settings' option.

  3. Select the 'Content Security Policy' option from the drop-down.

  4. Configure these settings as required and click the "Save" button. See the table below for field descriptions.

  1. For any changes to come into effect, a restart of the website is required after changes in the Content Security Policy.

Content Security Policy

Fields

Description

Admin content security policy

Specify the Content Security Policy for the SigningHub Admin. By default, the value for this field will be fetched from the database, but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters. The default value for this field will be:

form-action 'none';
base-uri 'self';
frame-ancestors 'none';

default-src
    'self'
    https://app.powerbi.com/;

style-src
    'self'
    'unsafe-inline';

img-src
    'self'
    data:
    blob:;

object-src
    'none';

script-src
    'self';

Web content security policy

Specify the Content Security Policy for the SigningHub Web. By default, the value for this field will be fetched from the database, but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters. The default value for this field will be:

object-src 'none';

script-src 'strict-dynamic'
    'self'
    https://www.dropbox.com
    [ADSS_URL]/adss/gosign/
    https://seal.globalsign.com/SiteSeal/
    https://az416426.vo.msecnd.net/
    https://googleads.g.doubleclick.net
    https://www.googleadservices.com
    https://www.googletagmanager.com
    https://bat.bing.com
    https://az416426.vo.msecnd.net
    https://www.google.com/recaptcha
    https://www.google.com/recaptcha/api.js
    https://www.gstatic.com/recaptcha/
    http://apis.google.com
    https://docs.google.com/picker
    https://js.live.net
    https://www.google-analytics.com
    https://client.go-sign-desktop.com:8782/gosign-desktop
    https://graph.microsoft.com/v1.0/drive/items/
    https://api.taxamo.com/js/v1/taxamo.all.js
    [API_URL]
    [WEB_URL];

style-src
    'self';

img-src
    'self'
    [API_URL]
    [WEB_URL]
    data:
    blob:;

font-src
    'self'
    https://fonts.gstatic.com/
    data:;

connect-src
    'self'
    https://t1c.t1t.io:58937/
    https://t1c.t1t.io:51883/v3/
    https://t1c.t1t.io:51883/
    https://t1c.t1t.io:58937/v3/
    https://www.google-analytics.com
    https://beta10.demo.signinghub.com/
    https://65.52.68.199:8778/adss/gosign/handler
    https://test.eideasy.com/api/
    https://id.eideasy.com/api/
    https://app.powerbi.com
    https://stats.g.doubleclick.net
    https://graph.microsoft.com/v1.0/
    https://dc.services.visualstudio.com/v2/track
    https://graph.microsoft.com/v1.0/drive/items
    https://client.go-sign-desktop.com:8782
    https://web.signinghub.com/adss/gosign/handler
    https://client.go-sign-desktop.com:8782/gosign-desktop
    https://graph.microsoft.com/v1.0/me/drive/items/
    [API_URL]
    [WEB_URL];

child-src
    'self'
    https://docs.google.com/picker
    https://client.go-sign-desktop.com:8782/gosign-desktop
    https://accounts.google.com
    https://api.taxamo.com/
    https://t1c.t1t.io:58937/
    https://t1c.t1t.io:51883/v3/
    https://t1c.t1t.io:51883/
    https://t1c.t1t.io:58937/v3/
    https://c.taxamo.com/
    https://p.taxamo.com/
    https://www.google.com/
    https://t1c.t1t.io
    https://acc-ds.t1t.io/v3/tokens/application;

frame-src
    https://api.taxamo.com/
    https://p.taxamo.com/
    https://app.powerbi.com/;

frame-ancestors
    [WEB_URL];

base-uri
    'self';

Demo content security policy

Specify the Content Security Policy for the SigningHub Demo. By default, the value for this field will be fetched from the database, but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters. The default value for this field will be:

object-src
    'none';

default-src
    'self';

connect-src
    'self';

child-src
    'self'
    [WEB_URL];

script-src
    'self'
    'unsafe-inline'
    'unsafe-eval';

style-src
    'self'
    'unsafe-inline';

frame-ancestors
    'self';

img-src
    'self'
    *
    data:
    blob:;

  1. For a fresh installation of SigningHub:

    • The system will add the default Content Security Policy values with respect to signinghub.com for all the websites from the database. These default values can be updated later as well.

    • The Content Security Policy will be added to the default scripts.

  2. For an upgrade of SigningHub:

    • Upon upgrade, the system will add the default Content Security Policy values with respect to signinghub.com, for all the websites, from the existing web.config file and place in the database.

    • From v8.5 onwards, the system will get the Content Security Policy values from the database, as every client will have updated the Content Security Policy, as per their needs.

  3. Please update the below-mentioned placeholders in the CSP header: [API_URL] [WEB_URL] [ADSS_URL] (This is for local-side signing using ADSS Go>Sign)

  4. Add the following URLs in connect-src for Belgian eID Card, in addition to the above CSP headers:

    https://client.localmiddleware.be:20202/version

    https://client.localmiddleware.be:20202/status

    https://client.localmiddleware.be:20202/events

    https://client.localmiddleware.be:20202/session

    https://client.localmiddleware.be:20202/eID/signingSession

    https://client.localmiddleware.be:20202/eID/id

    https://client.localmiddleware.be:20202/eID/nonRepudiationCertificate

    https://client.localmiddleware.be:20202/eID/citizenCertificate

    https://client.localmiddleware.be:20202/eID/rootCertificate

    https://client.localmiddleware.be:20202/eID/signRsa

  5. Add the following URLs in child-src and the last one in script-src for Stripe, in addition to the above CSP headers:

    https://api.taxamo.com/

    https://c.taxamo.com/

    https://p.taxamo.com/

    https://api.taxamo.com/js/v1/taxamo.all.js

  6. Add the following URLs in connect-src for T1C Signing, in addition to the above CSP headers:

    https://t1c.t1t.io https://t1c.t1t.io:51983/info

  7. Add the following URL in the default-src of Web and Admin for Power BI reporting, in addition to the above CSP headers:

    https://app.powerbi.com/

PreviousAnalytics Tracking CodesNextConnectors

Last updated