My Oracle Support Banner

Apex Content-Security-Policy Syntax Not Working In Apex 20.1 and Apex 20.2 (Doc ID 2812492.1)

Last updated on OCTOBER 11, 2021

Applies to:

Oracle Application Express (APEX) - Version 20.1 and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Information in this document applies to any platform.


While trying to access the Apex URL after setting the Content Security Policy at the Instance Security Settings the details are not appearing in the Response Headers during the runtime.

1. Login into Apex Administration and navigate to Instance Settings.
2. Go to Security ----> HTTP Protocol tab.
3. Set the following parameters.

X-Frame-Options: DENY
x-powered-by: intrawebHHA
Content-Security-Policy: script-src-attr 'unsafe-inline'; script-src-elem
'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem
'unsafe-inline'; report-uri

4. Apply the Changes

5. Run the Apex Application Builder URL and enable Developer Tools.

6. The Security Policy details are not appearing in the Response Headers.

The behavior prior to 19.2 was appearing as follows.




The behavior in 20.1 and 20.2 is appearing as follows.




 The information used to appear with the older versions of Apex i.e 19.2


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.