|
Warning
|
Jenkins is currently (version 2.485) not ready for this plugin to be used to enforce Content Security Policy for all production environments. Some features will stop working with the default rule set when Report Only is unchecked. See JENKINS-60865 to track plugin compatibility. |
Install this plugin to have basic reporting of Content Security Policy violations in Jenkins: A new link Content Security Policy Reports on the Manage Jenkins page allows administrators to review reported policy violations.
Rules can be configured on the Configure Global Security configuration screen. By default, Content Security Policy violations are reported but not enforced. To enforce Content Security Policy, uncheck Report Only on the Configure Global Security configuration screen.
This plugin serves Content Security Policy headers for all HTTP responses, including user-generated content (files in workspaces, archived artifacts, etc.), unless those are served from the Resource Root URL. This interacts with the default Content Security Policy headers set by Jenkins since 1.641 and LTS 1.625.3 for these resources as follows:
-
If this plugin is configured to only report violations (the default), both enforcing (from Jenkins) and non-enforcing (from this plugin) headers will be set.
-
If this plugin is configured to enforce rules, Jenkins’s
Content-Security-Policyheader for these resources takes precedence over this plugin’s. -
If the
hudson.model.DirectoryBrowserSupport.CSPJava system property is set to the empty string (i.e., disable default protection from Jenkins), this plugin will still set the enforcing header if configured to do so.
Report issues and enhancements in the Jenkins issue tracker.
Refer to our contribution guidelines.
Licensed under MIT, see LICENSE.