Enabling content security for REST API

The content security policy (CSP) is an added layer of security that detects and mitigates certain types of attacks, including cross-site scripting and data injection attacks.

CSP is a computer security standard introduced to prevent cross-site scripting (XSS), click jacking and other code injection attacks resulting from the execution of malicious content in a trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security that is widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website.

You can add CSP directives to the Decision Center REST API by inserting the restapi.csp property into the server's virtual machine argument.

The following examples use none, the most restrictive directive possible. You can set this property to another directive, such as all or user. The CSP directive in the Decision Center REST API alters the appearance of the Swagger interface.

Add the CSP directive to the jvm.options:

-Ddecisioncenter.restapi.csp="default-src 'none'"