Implement Security Headers & CSP via HTTP Response for KB Sites
under review
N
Nilesh Kirti
Description:
Currently, Document360 KB sites inject the Content Security Policy (CSP) using a <meta> tag in the HTML <head>. This approach:
Is not detected by automated security scanning tools (which check HTTP response headers).
Lacks support for certain directives (frame-ancestors, sandbox).
Is less effective against some XSS scenarios compared to HTTP header–based enforcement.
Additionally, the X-Content-Type-Options: nosniff header is missing, leading to security scan failures. This header is not implemented due to MIME type concerns when customers upload files without proper content types.
Requested Scope:
Implement CSP as an HTTP response header with safe default directives.
Add X-Content-Type-Options: nosniff header (with file content type validation).
Include CSP directives requested by customers:
form-action — restrict form submission destinations.
default-src — define fallback sources for all resource types.
report-uri / report-to — log CSP violations without enforcement.
Review script-src, style-src, frame-src, and worker-src for potential removal of unsafe-inline and unsafe-eval.
Benefits:
Passes industry-standard compliance scans (e.g., securityheaders.com).
Meets customer security requirements without backend intervention.
Log In
Anna McDonald
D360 Product Management Any update on this issue?
D
D360 Product Management
Merged in a post:
Request to Add “X-Content-Type-Options=nosniff” Header for Security Compliance
Karthikeyan J
This request was created on behalf of Jonathan
Our website is not compliant with current security policies because the X-Content-Type-Options=nosniff header is missing, it would be great if we have an option to include that.
Thank you.
Karthikeyan J
+ Anna
V
Vijay Sakthivel
+Tanuja Venkatesh
D
D360 Product Management
marked this post as
under review
Mohamed Shakheen
Nilesh
Thank you for outlining the security enhancement request in detail.
We acknowledge the current limitation of using a
<meta>
tag for CSP enforcement and the missing X-Content-Type-Options: nosniff
header. Your proposed approach of implementing the CSP as an HTTP response header with validated directives and adding the nosniff
header aligns with best practices for modern web security and compliance.Our engineering team will
validate this request
to assess its feasibility, potential impact on existing deployments, and compatibility with various customer upload scenarios. Once validated, we will update the ETA accordingly.V
Vijay Sakthivel
+Andrija Kranjec
V
Vijay Sakthivel
++Rakesh Panchal
N
Nadine Khatib
Thank you for upvoting our request! It is really important for our company to implement Security Header as we aimed to be compliant with FedRamp security guidelines.
Akash Sivaraman
Upvoted on behalf of Nadine Khatib
Load More
→