3.4.3.6 Best Practices for CSP Compliant Development

Learn about best practices for CSP compliance.

• Avoid Inline Scripts and Styles

  Use external scripts and stylesheets. The most effective way to comply with CSP is to avoid inline scripts and styles altogether.

• Use Supported Substitution Strings

  Use the substitution strings, such as #APEX_CSP_NONCE# and #APEX_CSP_HASHES# to safely allow specific inline scripts or styles to execute, ensuring your application’s security policy is adhered to. See Supported Substitution Strings.

• Test Your Application for CSP Compliance

  • Use developer tools - Utilize browser developer tools (such as Chrome DevTools or Firefox Developer Tools) to test your application and identify CSP violations. The console will provide details about any blocked resources.

  • Iterate and refine - As you develop your application, continuously test and refine your CSP policies. It's important to ensure that legitimate content is not mistakenly blocked while also preventing malicious content from being executed.