THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT v7.4.11 and later
DISCUSSION
The Content Security Policy (CSP) HTTP response header declares which dynamic resources are allowed to load in the browser. Not having this header can cause the Web Transfer Client to be flagged as misconfigured or weak in external web security reports. Use the string in the registry setting below as a custom CSP header.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\
Type: STRING
Value name: CSPHeaderOverride
Values: Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data:;
The value is a string with the following meaning:
If not present means default
If present and not empty use it as custom CSP
An empty string turns off CSP header
Restart Required: No
MORE INFORMATION
default-src 'self' = default policy for loading content
'unsafe-inline' = allow use of inline source elements such as style attribute, onclick, script tag bodies, javascript: URIs
'unsafe-eval' = allows unsafe dynamic code evaluation such as JavaScript eval()
For information about CSP headers, refer to https://content-security-policy.com/.