Manage Origin Policies
Origin Policies allow you to configure the Content Security Policy of your ConnectReport server deployment as well as CORS settings.
Enable CORS for a given host
If you are calling ConnectReport APIs from an external application, you need to enable CORS for the host.
Steps to enable CORS:
- Gather the hostname of your external application
- Navigate to the ConnectReport Management Console and click Server Configuration. Scroll down to the section labeled Origin Policies.
- Under Actions click add Origin
- Enter the origin host and check off the Enable CORS box
- Scroll down in the modal and click Save.
ConnectReport Origin Policies, including CORS settings, are cached for 5 minutes. To make your changes take effect immediately, you can restart the ConnectReport Enterprise service.
Configure Content Security Policy
Content Security Policy (CSP) is a web standard that allows you to configure the allowed locations for different resources. Content Security Policies can provide significant protection against several OWASP Top 10 attacks, including XSS and other injection attacks.
The default CSP for ConnectReport server only allows resources from the server itself.
Enable Default CSP
- Gather the hostname of your external application
- Navigate to the ConnectReport Management Console and click Server Configuration. Scroll down to the section labeled Origin Policies.
- Check off the Enable Content Security Policy box
- Click Save in the lower right corner.
- Restart the ConnectReport Enterprise service
Customize CSP
To add additional custom directives to the default CSP, follow the steps above to enable the default CSP.
Once enabled, you can also add custom origin-specific directives. For example, if you need to allow images in your templates from an external server, you should create an origin for your server and check off the imgSrc directive.
You can add additional origins and set CSP directives as follows:
- Navigate to the ConnectReport Management Console and click Server Configuration. Scroll down to the section labeled Origin Policies.
- Under Actions click add Origin
- Enter the origin host
- Choose the CSP directives to enable.
- Scroll down in the modal and click Save.
ConnectReport Origin Policies, including CSP directives, are cached for 5 minutes. To make your changes take effect immediately, you can restart the ConnectReport Enterprise service.