CSP headers on Sitecore

  • Sitecore Client User Interface does not support Content Security Policy (CSP) headers out of the box due to the dependency on unsafe scripts (the EVAL function and inline Javascript). Customers can configure CSP headers on a Sitecore instance by themselves, but in such case, the CSP definition for Content Management (CM) instance should definitely allow unsafe-inline and unsafe-eval scripts for the mapped CM hostname(s).

Applies to:

CMS 6.0.0 Initial Release - 9.2 Initial Release

CMS 9.3

May 03, 2019
December 02, 2019

Reference number:

130868