Add documenation on required CSP headers

Deltares · Sep 11, 2024 · cf704fe · cf704fe
1 parent 86d0ad6
commit cf704fe
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/docs/public/deployments/README.md b/docs/public/deployments/README.md
@@ -133,4 +133,25 @@ Please note that every user of Web OC requires direct access to the FewsWebServi
 
 ```
 
-
+## Content Security Policy (CSP) Headers
+
+These headers are used to define the security policies for a web page, 
+specifying which resources can be loaded and executed by the browser.
+It is advised to add CSP headers in the server configuration. 
+The WebOC requires the following policies:
+
+| Header | Value |
+| ------ | ----- |
+| default-src | 'none'|
+| script-src | 'self'|
+| font-src | 'self'| |
+| style-src | 'self' 'unsafe-inline'|
+| worker-src | blob:|
+| img-src | 'self' data: blob: `FEWS_WEBSERVICES_DOMAIN` |
+| connect-src | 'self' https://basemaps.cartocdn.com https://*.basemaps.cartocdn.com `FEWS_WEBSERVICES_DOMAIN` |
+
+Replace `FEWS_WEBSERVICES_DOMAIN` with the domain of the FEWS web services are available. Leave empty when this is the same domain as where the WebOC is hosted.
+
+For more information, refer to the MDN documentation:
+[Content Security Policy (CSP) - MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
+