Securing SigningHub Demo

Content Security Policy Header

This header helps to prevent code injection attacks like cross-site scripting and clickjacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets, and other resources from the same domain that served the HTML referencing them. You won't be able to include external scripts from CDNs or similar. This header is added in SigningHub Admin>Configurations>Global Settings>Content Security Policy, and you need to change the SigningHub URLs accordingly:

object-src
    'none';

default-src
    'self';

connect-src
    'self';

child-src
    'self'
    [WEB_URL];

script-src
    'self'
    'unsafe-inline'
    'unsafe-eval';

style-src
    'self'
    'unsafe-inline';

frame-ancestors
    'self';

img-src
    'self'
    *
    data:
    blob:;