HOW TO: Managing Custom Content Security Policy (CSP) in Versions Prior to 11.2.4 R2


Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks from the execution of malicious content in the trusted web page context. It is a candidate recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on said website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features. For further information, visit


The following headers are added by default when working in Production environments:

  • Strict-Transport-Security (Only when using HTTPS)
  • X-Xss-Protection
  • Content-Security-Policy (The header that is causing the problem)
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy

These headers can be disabled in Production but are disabled by default in testing and development environments.

Applies To

Versions prior to 11.2.4 R2

What you need to do?

These are the steps to customize the CSP in Bizagi when working with versions prior to 11.2.4 R2:

1. To disable the headers, use the following key in the appsettings section of the web.config:

<appSettings> <add key = "BizagiSecurityHeaders" value = "false" /> </ appSettings>

2. Once this key is applied, it is possible to validate in a browser that none of the default headers are present in the server's responses.

3. Bear in mind that removing these headers can increase the risk of security attacks. Therefore, setting the custom values from the IIS is recommended. To do that you can either follow the instructions available here:, or you can set the values directly on the web.config file for the specific Bizagi site (custom headers) following the instructions here:

4. The following values must be placed:

Strict-Transport-Security. Valor: max-age=31536000; includeSubDomains

Referrer-Policy. Valor: no-referrer

X-Content-Type-Options. Valor: nosniff. 

X-Frame-Options. Valor: SAMEORIGIN.

X-XSS-Protection. Valor: 1; block


It's worth noting that unlike these values, there’s no standard way to define the Content Security Policy. Its default value should be defined through code, which is:

Content-Security-Policy. Value: default-src 'self' * data :; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob :; font-src * 'self' 'unsafe-inline' data :;



  1. Removing these headers can increase the risk of security attacks.
  2. It only applies for Production Environment; Test and Development environment do not require these steps.