From de0c2850f70956f94dbda7f72a389cac2fcdacd2 Mon Sep 17 00:00:00 2001 From: Viacheslav Klimov Date: Wed, 18 Mar 2026 16:44:08 +0200 Subject: [PATCH] Fix CSP example value to include img-src and font-src directives --- application/src/main/resources/thingsboard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml index 79bf8a9706..e82d3fd061 100644 --- a/application/src/main/resources/thingsboard.yml +++ b/application/src/main/resources/thingsboard.yml @@ -215,7 +215,7 @@ security: # - Widgets loading external resources (images, fonts, scripts) # - Dashboard embedding via iframes (if frame-ancestors is restrictive) # Use 'report-only: true' first to test the impact before enforcing. - # Example value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'" + # Example value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; frame-ancestors 'self'" content-security-policy: # Enable/disable Content-Security-Policy header. Mitigates XSS and data injection attacks enabled: "${SECURITY_HEADERS_CONTENT_SECURITY_POLICY_ENABLED:false}"