Required Permission: Settings management (Read more about permissions in User Groups)

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in the trusted web page context [Wikipedia]. Graphlytic’s Content Security Policy configuration allows modification of the CSP rules that are sent to the browser with every response. Use this configuration to enhance the CSP rules, e.g. when you need to include a third-party JS script in your custom widget and the OOTB rules are blocking access to that script.

CSP Configuration

To add new CSP rules please use the Swagger UI, and find the Settings group:

Follow these steps:

  1. Use the GET /settings/{type} endpoint to read the GENERAL setting.

  2. Copy the “object” part of the configuration and modify the “csp” part according to your needs (see the example below).

  3. Upload the modified GENERAL setting using the PUT /settings/{type} endpoint.

Example of the configuration available in the GET /settings/{type} endpoint that can be used in the PUT /settings/{type} endpoint:

"showHintsOnInit": false,
"sessionTimeout": 3600,
"loginMessage": {
"enabled": false,
"type": "success",
"text": "Planned maintenance from ... to..."
"maxConcurrentSessionsPerUser": 3,
"cors": {
"enabled": true,
"domains": []
"csp": {
"script-src": [
"site": {
"title": "Graphlytic",
"image": "",
"background": ""
"publicWidgets": false

Explanation of the “csp” object structure

The “csp” object is a map of CSP directives and their values. These CSP directives are supported:

  • default-src

  • script-src

  • style-src

  • img-src

  • connect-src

  • font-src

  • object-src

  • media-src

  • frame-src

  • sandbox

  • report-uri

  • child-src

  • form-action

  • frame-ancestors

  • plugin-types

  • base-uri

  • report-to

  • worker-src

  • manifest-src

  • prefetch-src

  • navigate-to