Implement Security Headers & CSP via HTTP Response for KB Sites
complete
N
Nilesh Kirti
Description:
Currently, Document360 KB sites inject the Content Security Policy (CSP) using a <meta> tag in the HTML <head>. This approach:
Is not detected by automated security scanning tools (which check HTTP response headers).
Lacks support for certain directives (frame-ancestors, sandbox).
Is less effective against some XSS scenarios compared to HTTP header–based enforcement.
Additionally, the X-Content-Type-Options: nosniff header is missing, leading to security scan failures. This header is not implemented due to MIME type concerns when customers upload files without proper content types.
Requested Scope:
Implement CSP as an HTTP response header with safe default directives.
Add X-Content-Type-Options: nosniff header (with file content type validation).
Include CSP directives requested by customers:
form-action — restrict form submission destinations.
default-src — define fallback sources for all resource types.
report-uri / report-to — log CSP violations without enforcement.
Review script-src, style-src, frame-src, and worker-src for potential removal of unsafe-inline and unsafe-eval.
Benefits:
Passes industry-standard compliance scans (e.g., securityheaders.com).
Meets customer security requirements without backend intervention.
Log In
umamaheswari baskaran
Hi All - This has been shipped as part of April 12.4.1 release
Link to release notes : https://docs.document360.com/shared/7e1d1a39-58c3-41e3-a5f5-5f6a8bd81ee5
umamaheswari baskaran
marked this post as
complete
C
Crimson Reindeer
Still waiting on this...it's been listed as "Under Review" for months. When will you release a solution for this critical security issue?
C
Crimson Reindeer
Looks like it's been about 6 months since this critical security feature request was created. When will this fix be released?
C
Crimson Reindeer
Please share an update on this security issue.
Kesavan M
++ Poised Raven
C
Crimson Reindeer
D360 Product Management Any updates on this issue?
V
Vijay Sakthivel
+National Stingray
C
Crimson Reindeer
D360 Product Management Any update on this issue?
D
D360 Product Management
Merged in a post:
Request to Add “X-Content-Type-Options=nosniff” Header for Security Compliance
Karthikeyan J
This request was created on behalf of Jonathan
Our website is not compliant with current security policies because the X-Content-Type-Options=nosniff header is missing, it would be great if we have an option to include that.
Thank you.
Load More
→