21.2.6.4 Best Practices for CSP Compliant Development
Learn about best practices for CSP compliance.
- Avoid Inline Scripts and Styles
Use external scripts and stylesheets. The most effective way to comply with CSP is to avoid inline scripts and styles altogether.
-
Use Supported Substitution Strings
Use the substitution strings, such as
#APEX_CSP_NONCE#and#APEX_CSP_HASHES#to safely allow specific inline scripts or styles to execute, ensuring your application’s security policy is adhered to. See Supported Substitution Strings. -
Test Your Application for CSP Compliance
-
Use developer tools - Utilize browser developer tools (such as Chrome DevTools or Firefox Developer Tools) to test your application and identify CSP violations. The console will provide details about any blocked resources.
-
Iterate and refine - As you develop your application, continuously test and refine your CSP policies. It's important to ensure that legitimate content is not mistakenly blocked while also preventing malicious content from being executed.
-
Third-Party Library Considerations
The CSP improvements in Oracle APEX apply to Oracle APEX code and built-in components. However, APEX also includes some third-party libraries that may not be fully compliant with strict Content Security Policy requirements. Additionally, developers who include their own third-party libraries may introduce policy violations or require additional directives. As a result, full compliance cannot be guaranteed in all cases.
To evaluate the impact on your application, use the Content-Security-Policy-Report-Only header and review the reported violations. Based on the results, you can determine the most appropriate policy configuration for your application. At the time of this release, MapLibre and CKEditor are known to have limitations with strict Content Security Policy configurations.
Parent topic: Configuring Content Security Policy (CSP)