THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT v7.4.11 and later
- In v8 and later, add the key name below to the AdvancedProperties.json file. Refer to the Advanced Properties topic in your version of EFT for help regarding editing the Advanced Properties file.
The Content Security Policy (CSP) HTTP response header declares which dynamic resources are allowed to load in the browser.
By default, EFT will issue the following CSP header:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data:;
These values have the following meanings, as documented here: https://content-security-policy.com/.
default-src 'self' = default policy for loading content
CUSTOM CSP HEADER
You can add additional values, such as “script-src” and “style-src”, by overriding the default CSP header via the registry or as an Advanced Property:
- If the EFT Server 7.4 key does not exist, create it.
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\
- In v8 and later, add the key names below to the AdvancedProperties. json file. Refer to the Advanced Properties topic in your version of EFT for help regarding editing the Advanced Properties file.
Key Type: STRING
Key name: CSPHeaderOverride
Values: Provide the new CSP header string. For example:
default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;
You do not need to restart the EFT server service for the new CSP to take effect.
CSP WHEN reCAPTCHA IS USED FOR DROP-OFF PORTAL:
If you enable Google reCAPTCHA for the Drop-off portal, you will need to modify the allowed CSP domains to also include google.com and gstatic.com. This is necessary so that Google’s reCAPTCHA service will work.
Change CSPHeaderOverride to:
default-src 'self' www.google.com www.gstatic.com 'unsafe-inline' 'unsafe-eval' data:;
- If you disable reCAPTCHA, you should consider removing the override so that the default CSP is used. (This setting has no effect in Internet Explorer.)