Updating the Content Security Policy for Customer-hosted Savance Workplace

The Content Security Policy (CSP) is a security layer that helps prevent various kinds of attacks, such as Cross-Site Scripting (XSS) and data injection attacks. It does so by specifying the domains that the browser should consider valid sources of executable scripts. It’s defined in the website’s root web.config file.

Occasionally, you may run into issues that require troubleshooting or modification of this directive. This article provides a step-by-step guide on how to perform these tasks. Before you proceed, ensure you have administrative access to the hosting server and the web.config file.

Locating the CSP Directive in the web.config file

1. Connect to your web server, either directly or remotely.

2. Locate the `web.config` file. This file is typically located in the root directory of your Savance Workplace application.

3. Open the `web.config` file in a text editor. You’re looking for a tag that looks like this:


<add name=”Content-Security-Policy” value=”default-src ‘self’; img-src https://*; child-src ‘none’;”/>


The `value` attribute in the `add` tag above is where you define your CSP directive.

Troubleshooting Common Issues

Here are some common issues that might occur:

**Issue:** You’re seeing errors in the browser console indicating CSP violations.

**Solution:** Review the browser console errors carefully. They’ll usually tell you which rule is causing the issue and which file or script is being blocked. You may need to adjust your CSP directive to allow these resources.

**Issue:** Your site isn’t loading external resources (e.g., images, stylesheets, scripts).

**Solution:** Check that your CSP allows these resources. For example, if you’re loading images from `https://abc-corp.com,` you should have a directive like `img-src ‘self’ https://abc-corp.com.`

Modifying the CSP Directive

You can modify the CSP directive by altering the `value` attribute inside the `add` tag.

1. Find the `add` tag as explained in the “Locating the CSP Directive” section.

2. Modify the `value` attribute to include the sources you want to allow. Here are some example policies:

– `default-src ‘self’;` allows all content from your own domain.
– `img-src https://*;` allows images to be loaded from all HTTPS sites.
– `child-src ‘none’;` disallows the loading of frames from any source.

3. Save the changes to the `web.config` file and restart the IIS service for the changes to take effect.

Note: modifying the CSP directive affects the security and functionality of your organization’s Savance Workplace website. Always test any changes and prepare rollback contingencies before applying any changes to your production environment.


We hope this guide has been helpful in troubleshooting and modifying the Content Security Policy directive in the `web.config` file for your Savance Workplace website. As a best practice, remember to always back up your `web.config` file before making any changes. Should you encounter any further issues, don’t hesitate to contact our support team for further assistance.