The following headers are added by default when working in Production environments:
- Strict-Transport-Security (Only when using HTTPS)
- Content-Security-Policy (The header that is causing the problem)
These headers can be disabled in Production but are disabled by default in testing and development environments.
Versions prior to 11.2.4 R2
What you need to do?
These are the steps to customize the CSP in Bizagi when working with versions prior to 11.2.4 R2:
1. To disable the headers, use the following key in the appsettings section of the web.config:
<appSettings> <add key = "BizagiSecurityHeaders" value = "false" /> </ appSettings>
2. Once this key is applied, it is possible to validate in a browser that none of the default headers are present in the server's responses.
3. Bear in mind that removing these headers can increase the risk of security attacks. Therefore, setting the custom values from the IIS is recommended. To do that you can either follow the instructions available here: https://docs.microsoft.com/en-us/troubleshoot/iis/add-http-response-header-web-site, or you can set the values directly on the web.config file for the specific Bizagi site (custom headers) following the instructions here: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httpprotocol/customheaders/
4. The following values must be placed:
Strict-Transport-Security. Valor: max-age=31536000; includeSubDomains
Referrer-Policy. Valor: no-referrer
X-Content-Type-Options. Valor: nosniff.
X-Frame-Options. Valor: SAMEORIGIN.
X-XSS-Protection. Valor: 1; block
It's worth noting that unlike these values, there’s no standard way to define the Content Security Policy. Its default value should be defined through code, which is:
Content-Security-Policy. Value: default-src 'self' * .bizagi.com data :; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob :; font-src * 'self' 'unsafe-inline' data :;
- Removing these headers can increase the risk of security attacks.
- It only applies for Production Environment; Test and Development environment do not require these steps.