Content Security Policy (CSP) is a security feature that helps protect your application against cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which sources of content are trusted. When enabled, the browser blocks or reports any resource (like scripts, styles, images, etc.) that violates your defined policy.
Without CSP, any malicious script included in your page—via user input, browser plugin vulnerabilities, or third-party libraries—can execute freely. CSP adds a layer of defense by limiting the sources from which content can be loaded.
Edit the app/Config/App.php file and set the following property to true:
public $CSPEnabled = true;
RISE already includes predefined CSP rules that allow core scripts, styles, fonts, and other internal resources required for the application to run correctly.
Important: If you are using any third-party plugins, custom scripts, or loading external assets (CDNs, fonts, analytics, etc.), you must explicitly allow them in the CSP configuration.
To customize CSP rules, edit: app/Config/ContentSecurityPolicy.php and update the required config values.
Example:
If you want to allow YouTube iframe content, and Google Analytics, set the following values:
public $scriptSrc = ['self', 'https://www.google-analytics.com/', 'https://www.googletagmanager.com/'];public $imageSrc = ['self', 'https://www.google-analytics.com/', 'https://www.googletagmanager.com/', 'https://www.youtube.com/'];public $connectSrc = ['self', 'https://www.google-analytics.com/'];public $frameSrc = ['self', "https://www.youtube.com/"];
Only add sources you trust. Adding unknown or unsafe sources can reduce your website’s security and create risks.