Skip to main content
Skip table of contents

2026-02-11 CSP/Content Security Policy with 19.21

Content Security Policy (CSP) Headers

Overview

We've implemented Content Security Policy (CSP) headers to enhance the security of the iGrafx Platform. CSP is a browser security mechanism that helps prevent cross-site scripting (XSS) attacks, clickjacking, and other code injection attacks by controlling which resources can be loaded and executed on web pages.

For On-Premises Customers

What's Changed

The iGrafx Platform now includes Content Security Policy headers that define which external resources (scripts, styles, images, etc.) can be loaded by your browser. By default, the CSP is running in report-only mode.

Report-Only Mode (Default)

In report-only mode:

  • The CSP policy is active and monitoring your application usage

  • If any content violates the policy, your browser will log a warning in the developer console

  • No functionality is blocked - all content loads normally

  • This allows you to monitor for potential issues before enforcement is enabled

You may see warnings in your browser's developer console (F12) that look like:

[Report Only] Refused to load the script 'https://example.com/script.js' because it violates the Content Security Policy directive...

These warnings are informational only and do not affect application functionality.

Enabling Enforcement Mode

If you want to enable enforcement mode (where violations are blocked rather than just logged), you can configure this via a JVM argument:

-Digrafx.security.csp=enforce

For instructions on how to set JVM arguments for the iGrafx Platform, see our Advanced Configuration Guide.

CSP Policy Customization

The current CSP policy is designed to work with standard iGrafx Platform features and configurations. Customization of the CSP policy is not currently available through configuration.

If you have specific requirements that require CSP policy modifications (for example, loading resources from specific external domains), please contact our Helpdesk team at https://echo.igrafx.com . We will review your request and incorporate necessary changes into upcoming releases.

Frame Embedding Settings

The CSP frame-ancestors directive aligns with your existing igrafx.security.frameoptions system property setting:

  • frameoptions=sameorigin → CSP allows embedding only from same origin (default)

  • frameoptions=deny → CSP blocks all embedding

  • frameoptions=disable → CSP allows embedding from any origin

Dashboard iFrame Support

The iGrafx Platform supports embedding external content (iframes) within custom dashboards. The CSP policy is configured to allow this functionality without restrictions.

For Cloud Customers

What to Expect

Content Security Policy headers have been enabled for iGrafx Cloud deployments in report-only mode. During this phase:

  • You may see additional warnings in your browser's developer console (F12)

  • All application capabilities remain fully functional - these warnings are informational only

Enforcement Timeline

CSP enforcement mode will be enabled for cloud deployments in H2 2026. When enforcement is activated:

  • The transition will be seamless with no expected disruption or change in behavior

  • All current functionality will continue to work as designed

  • The CSP policy has been thoroughly tested to ensure compatibility with all cloud features

Questions or Issues?

If you have questions about CSP or encounter any issues:

Contact our Helpdesk at https://echo.igrafx.com

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close