My Oracle Support Banner

Does Oracle HTTP Server Support Content Security Policy (CSP) Content-Security-Policy-Report-Only Header and report-uri Header Value (Doc ID 2698559.1)

Last updated on AUGUST 30, 2021

Applies to:

Oracle HTTP Server - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Goal

Explain Oracle HTTP Server's role with Content-Security-Policy(CSP) usage.
Using following two questions as example.

Does OHS support the "report-uri" directive of CSP?  e.g.
 Header set Content-Security-Policy: "default-src 'self'; report-uri /<APP_NAME>"
 Header set Content-Security-Policy: "default-src 'self'; report-uri https://<FQDN>/<APP_NAME>"

Does OHS support the CSP Report Only header "Content-Security-Policy-Report-Only"?   e.g.
 Header set Content-Security-Policy-Report-Only: "default-src 'self'; report-uri /<APP_NAME>"
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.