Content Security Policy (CSP) in Kepion

Introduction

Content Security Policy (CSP) is a web security standard that helps protect Kepion against common web-based attacks, such as cross-site scripting (XSS) and clickjacking. CSP works by defining which sources of content are allowed to execute, load, or embed within the application.

Note: Starting with Kepion version 6.1.24324, CSP is enabled by default. 

To balance security with backward compatibility, the default behavior differs depending on whether the environment is newly created or upgraded from an existing deployment.

CSP policies in Kepion

Kepion implements CSP through two policies.

Custom content security policy

The custom content security policy controls application-level behavior, including how Kepion pages can be embedded in external websites or applications.

• This policy is enabled by default when CSP is turned on at the environment level

• Customers can control how Kepion pages are embedded by external applications

Embedded content security policy

The embedded content security policy applies to embedded HTML content within Kepion.

• This policy supports modes that control enforcement behavior

• It allows customers to introduce CSP gradually without breaking existing embedded content

Default behavior by environment type

New environments

For newly created environments, CSP is enabled with secure-by-default enforcement.

Custom content security policy

• Prevents Kepion pages from being embedded in external applications

Embedded content security policy

• Blocks JavaScript execution in embedded HTML

• Restricts embedded content to be framed only by Kepion

• Mode is set to enforce

End-user impact

• Kepion must be accessed directly

• Embedded HTML content is static and non-interactive

• This configuration provides the highest security posture by default

Upgraded (existing) environments

For environments upgraded from earlier versions, CSP is enabled in a backward-compatible configuration.

Custom content security policy

• Allows Kepion to be embedded in external applications

Embedded content security policy

• Mode is set to report only

• JavaScript execution and framing behavior continue to function as before

• CSP violations are logged but not blocked

End-user impact

• No functional changes after upgrade

• Existing embeddings and scripted embedded content continue to work

• Administrators gain visibility into CSP violations

Customize CSP behavior

CSP behavior in Kepion is configurable through system-level settings stored in the Kepion_System database. These settings allow customers to tailor CSP behavior to meet security, embedding, or compatibility requirements.

The following keys in the SystemSettings table control CSP behavior:

EnableContentSecurityPolicy

Controls whether CSP is enabled globally in the environment.

• True: CSP headers are sent and enforced according to policy settings

• False: CSP is disabled entirely for the environment

CustomContentSecurityPolicy

Defines application-level CSP rules that control how Kepion can be embedded by other applications.

Common customizations include:

• scriptSrc

  • Control whether JavaScript is allowed or which script sources are permitted for Kepion application pages

• frameAncestors

  • Restricts where Kepion can be embedded by other applications

Changes to this policy are always enforced once applied.

EmbeddedContentSecurityPolicy

Defines CSP rules for embedded HTML content inside Kepion.

Common customizations include:

• scriptSrc

  • Control whether JavaScript is allowed or which scripts are allowed in embedded HTML

• frameAncestors

  • Restrict where embedded content can be framed

• mode

  • Control whether CSP is enforced or reported only

This policy provides the most flexibility and is commonly adjusted during CSP rollout or troubleshooting.

Below are the three modes applied to the embedded content security policy.

For detailed step-by-step guidance on customizing CSP settings, including sample SQL updates and verification steps, see Customize CSP behavior.

Disable CSP

Kepion provides two supported approaches to relax or disable CSP.

Disable CSP for embedded content only

To disable CSP enforcement for embedded HTML components while keeping CSP enabled for the rest of the application, set the embedded content security policy mode to none (mode = 0).

This approach is recommended for compatibility or troubleshooting scenarios involving embedded content.

Disable CSP completely

To disable CSP entirely, set EnableContentSecurityPolicy to False. This disables all CSP headers, including both custom and embedded content security policies, and should be used only in exceptional cases.

For detailed step-by-step guidance on customizing CSP settings, including sample SQL updates and verification steps, see Customize CSP behavior.

Apply configuration changes

All CSP configuration changes follow the same process:

1. Update the appropriate key in the Kepion_System.dbo.SystemSettings table

2. Verify the updated value

3. Restart Kepion in Internet Information Services (IIS)

An IIS restart is required for any CSP configuration change to take effect.

Customer guidance and best practices

• Customers upgrading existing environments should review CSP reports generated in report-only mode and update embedded HTML to comply with CSP before switching to enforce mode.

• Customers who embed Kepion in external applications or use interactive embedded HTML should explicitly configure the appropriate CSP directives to allow required framing and script sources.

• New environments should retain the default enforced CSP settings whenever possible to maintain a strong security posture.