3.4.3.4 Using Content Security Policy (CSP) in APEX

Learn how to configure CSP for an application.

APEX supports CSP through the use of HTTP response headers. Enabling CSP at the application-level ensures that your entire application adheres to strict resource loading rules, helping you build more secure and robust applications.

Parent topic: Configuring Content Security Policy (CSP)

3.4.3.4.1 Enabling CSP in an Application

Enable CSP for an application by editing Security Attributes.

Oracle APEX supports CSP through the use of HTTP response headers. Enabling CSP at the application-level ensures that your entire application adheres to strict resource loading rules, helping you build more secure and robust applications.

To enable CSP in an APEX application:

  1. On the Workspace home page, click the App Builder icon.
  2. Select an application.
    The Application home page appears.
  3. From the Application home page, you can access the Security page in two ways:
    • Edit Application Definition button:

      1. Click Edit Application Definition to the right of the application name.

      2. Click the Security tab.

    • From Shared Components:

      1. Click Shared Components.

      2. Under Security, click Security Attributes.

    The Edit Security Attributes page appears.

  4. Browser Security, HTTP Response Headers - Enter additional application specific HTTP headers that APEX should send on each response and that it does not support in another way. Choose between one of the following:

    • Content-Security-Policy - Enforces the security policy and blocks any resources or actions that do not comply with the rules. Violations will result in blocked content, ensuring the application follows security best practices. 

      Content-Security-Policy: default-src 'self' #APEX_CSP_NONCE# 'unsafe-hashes' #APEX_CSP_HASHES#; object-src 'none'; img-src 'self' data:;

    • Content-Security-Policy-Report-Only - Allows you to test your CSP settings without enforcing them. Instead of blocking violations, reports are generated, allowing you to monitor issues without disrupting the application. This header is ideal for testing and refining your policy before enforcing it in production. 

      Content-Security-Policy-Report-Only: default-src 'self' #APEX_CSP_NONCE# 'unsafe-hashes' #APEX_CSP_HASHES#; object-src 'none'; img-src 'self' data:;

Parent topic: Using Content Security Policy (CSP) in APEX

3.4.3.4.2 About Content-Security-Policy and Content-Security-Policy-Report-Only

Learn about Content-Security-Policy and Content-Security-Policy-Report-Only headers.

When implementing Content Security Policy (CSP) header, you can choose between Content-Security-Policy and Content-Security-Policy-Report-Only headers.

Once you add a CSP header:

  • CSP is applied globally across your application.

  • Only resources that match the specified policy are allowed to load.

  • Any scripts or resources that are not explicitly permitted (for example, inline scripts without the proper nonce/hash) are blocked by the browser.

    Tip:

    This may initially cause certain features (or plug-ins) to break if they are not CSP-compliant, so testing and adaptation may be required.

By enabling CSP, you are taking an important step toward hardening your application against client-side attacks. It enforces best practices and ensures that your codebase remains clean, secure, and trustworthy.

Parent topic: Using Content Security Policy (CSP) in APEX

3.4.3.4.3 Supported Substitution Strings

Learn about supported substitution strings for CSP headers.

Available substitution strings for CSP header include:

  • #APEX_CSP_NONCE# - Used for the HTTP header and resolves to the current page request nonce value (for example, 'nonce-random123'. Used for allowing inline scripts and styles with a nonce.
  • #APEX_CSP_HASHES# - Resolves to the hashes of approved inline scripts or styles.
  • #APEX_DISPLAY_NONE# - Resolves to display: none to hide elements dynamically. Commonly used to manage visibility before content is fully loaded.
  • #APEX_CSP_NONCE_ATTRIBUTE# - The html attribute containing the nonce value (for example, nonce="random123".
  • #APEX_CSP_NONCE_VALUE# - The exact nonce value.

Parent topic: Using Content Security Policy (CSP) in APEX