Introduction
This article provides step-by-step guidance on how to customize content security policy (CSP) settings in Kepion for two common scenarios:
Restricting where Kepion can be embedded by other applications using
frameAncestorsDisabling CSP entirely for troubleshooting purposes
For an overview of CSP concepts and default behavior, see Content Security Policy (CSP) in Kepion.
Before you start
Before making changes, ensure you understand how CSP works in Kepion and how it affects application behavior.
Configure frameAncestors
The frameAncestors directive in CSP controls which sources are permitted to embed Kepion within an iframe. This helps prevent clickjacking attacks by limiting embedding to trusted domains.
1. Open SSMS and connect to the Kepion_System database.
2. Execute the following statement. Make sure you replace the example sources ("https://example.org:4400", "https://example.com") with the domains you want to allow.
USE [Kepion_System];
GO
-- WARNING: Be cautious when updating CustomContentSecurityPolicy.
-- This setting is stored as JSON. Direct updates may overwrite existing configurations.
-- Ensure that updates preserve the existing structure.
-- Check if the CustomContentSecurityPolicy key exists
IF EXISTS (
SELECT 1
FROM [dbo].[SystemSettings]
WHERE [Key] = N'CustomContentSecurityPolicy'
)
BEGIN
-- Dynamically merge the existing JSON with the new frameAncestors value
DECLARE @ExistingValue NVARCHAR(MAX);
SELECT @ExistingValue = [Value]
FROM [dbo].[SystemSettings]
WHERE [Key] = N'CustomContentSecurityPolicy';
-- Use JSON_MODIFY to safely update the frameAncestors field
UPDATE [dbo].[SystemSettings]
SET [Value] = JSON_MODIFY(@ExistingValue, '$.frameAncestors', JSON_QUERY('["https://example.org", "https://example.com"]'))
WHERE [Key] = N'CustomContentSecurityPolicy';
END
ELSE
BEGIN
-- Insert new key if it doesn't exist
INSERT INTO [dbo].[SystemSettings] ([Key], [Value])
VALUES (N'CustomContentSecurityPolicy', N'{"frameAncestors": ["https://example.org", "https://example.com"]}');
END
Note: When updating CustomContentSecurityPolicy, proceed with caution as it is stored in JSON format. Direct updates can overwrite existing configurations, potentially disrupting other settings. Always ensure that your changes preserve the current JSON structure and include any pre-existing configurations.
3. Verify the changes in the SystemSettings table.
SELECT *
FROM [Kepion_System].[dbo].[SystemSettings]
WHERE [Key] = N'CustomContentSecurityPolicy';
4. Restart Kepion in IIS.
Disable CSP
Disabling CSP removes all CSP headers, including both custom and embedded content policies. This should be done only in exceptional troubleshooting scenarios. To disable CSP in your environment, follow these steps:
1. Open SSMS and connect to the Kepion_System database.
2. Open SSMS and execute the following statement.
USE [Kepion_System]
GO
IF EXISTS (
SELECT 1 FROM [dbo].[SystemSettings] WHERE [Key] = N'EnableContentSecurityPolicy'
)
BEGIN
UPDATE [dbo].[SystemSettings]
SET [Value] = N'False'
WHERE [Key] = N'EnableContentSecurityPolicy';
END
ELSE
BEGIN
INSERT INTO [dbo].[SystemSettings] ([Key],[Value])
VALUES (N'EnableContentSecurityPolicy', N'False');
END
2. Verify the changes in the SystemSettings table.
SELECT *
FROM [Kepion_System].[dbo].[SystemSettings]
WHERE [Key] = N'EnableContentSecurityPolicy';
3. Restart Kepion in IIS.
Note: To apply the changes, you must restart the Kepion in Internet Information Services (IIS). Learn how to restart IIS here.