Home / Kong Gateway / Kong Manager
Edit
Report

Content Security Policy for Kong Manager

Uses: Kong Gateway
Related Documentation
All Gateway Documentation
Incompatible with
konnect
Tags
#kong-manager #security
Related Resources
Content Security Policy (CSP) on MDN Web Docs

A Content Security Policy (CSP) is a standard that helps prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do.

Kong Manager provides the following settings to manage the CSP through kong.conf:

Parameter Description
admin_gui_csp_header Default: off

Enable or disable the Content-Security-Policy (CSP) header for Kong Manager

This configuration controls the presence of the CSP header when serving Kong Manager. The default CSP header value will be used unless customized.

To modify the value of the served CSP header, refer to the admin_gui_csp_header_value configuration.

Set this configuration to on to enable the CSP header.
admin_gui_csp_header_value

The value of the Content-Security-Policy (CSP) header for Kong Manager.

This configuration controls the value of the CSP header when serving Kong Manager. If omitted or left empty, the default CSP header value will be used.

This is an advanced configuration intended for cases where the default CSP header value does not meet your requirements. Use with caution.

For more information on the CSP header, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Default CSP

When admin_gui_csp_header is enabled, Kong Manager enforces a default CSP composed of the following directives:

default-src 'self';
connect-src {source};
img-src 'self' data:;
script-src 'self' 'wasm-unsafe-eval';
script-src-elem 'self';
style-src 'self' 'unsafe-inline';

The value of the connect-src directive depends on the admin_gui_api_url setting.

If admin_gui_api_url is not specified, the connect-src directive depends on the requesting host and port. For example:

  • If the request URL is http://localhost:9112, the connect-src directive is http://localhost:9112
  • If the request URL is https://localhost:9112, the connect-src directive is https://localhost:9112

If admin_gui_api_url is specified, the connect_src directive depends on the presence of the http or https prefix. For example:

  • If admin_gui_api_url starts with http:// or https://, the connect-src directive is the value of admin_gui_api_url.
  • If admin_gui_api_url doesn’t start with http:// or https://, the connect-src directive is the value of admin_gui_api_url prefixed with http:// when being accessed over HTTP, and https:// when being accessed over HTTPS.

Customize the CSP header

Sometimes, the default CSP may not fit your needs. You can customize the Content Security Policy by setting the admin_gui_csp_header_value parameter in your Kong Gateway configuration:

admin_gui_csp_header_value = default-src 'self'; connect-src 'self' https://$ADMIN_API.tld;

Note: An invalid Content Security Policy may break the functionality of Kong Manager or even expose it to security risks. Make sure to test the Content Security Policy before using it in production.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support