Overview
Parameter:CONTENTSECURITYPOLICYAKTIV
Category: Custom Default
value: 0 (disabled)
Product: eTASK.Other (Custom)
What does this parameter do?
This parameter enables or disables the Content Security Policy (CSP) for the eTASK portal. It controls whether the security policy defined in CONTENTSECURITYPOLICY is enforced by the browser. The parameter offers three modes: fully disabled, active blocking (violations are blocked), or Report-Only (violations are logged but not blocked).
What is this parameter used for?
Enabling/Disabling the Content Security Policy
Controlling the CSP mode (blocking vs. logging only)
Safe testing phase for new CSP configurations (report-only mode)
Gradual introduction of CSP security measures
Troubleshooting CSP-related issues
Technical Details (for Administrators)
Format: Integer (whole number)
Default value: 0
Valid values:
0= CSP is not used (disabled)1= CSP is enabled and enforced (blocking mode)2= CSP events are logged in the application log without blocking (report-only mode)
Important notes:
This parameter controls only the activation, not the content of the CSP
The actual CSP policy is defined in CONTENTSECURITYPOLICY
For value
1: HTTP headercontent-security-policy, the following is sentIf the value is
2: HTTP headercontent-security-policy-report-onlyis sentIf value
0: No CSP header is sent
Interaction with other parameters:
CONTENTSECURITYPOLICY: Defines the actual CSP policy (which resources are allowed)
XFRAMEOPTIONS: Additional security measure against clickjacking
CONTENTTYPEOPTIONSNOSNIFFACTIVE: Prevents MIME type sniffing
XPERMITTEDCROSSDOMAINPOLICIES: Protection against cross-domain embedding
When should you change this value?
Leave the value set to 0 (disabled) if:
You do not want to use CSP
You are experiencing issues with the current CSP configuration and need to respond quickly
External resources are included that cause CSP violations
Set the value to 1 (active blocking) if:
You want maximum protection against XSS attacks
The CSP configuration has been thoroughly tested
You have successfully completed the report-only mode
You want to go live with active CSP security measures
Set the value to 2 (Report-Only) if:
You want to test a new CSP configuration
You want to identify violations without blocking functions
You want to roll out CSP incrementally
You want to analyze the impact of CSP changes
Important Notes
Use Report-Only mode
for testing Before you enable CSP (value 1), test extensively using value 2 (Report-Only). This allows you to identify CSP violations without blocking functions.Monitor the application
log In Report-Only mode (value 2), CSP violations are logged in the application log. Check the logs regularly for entries regarding blocked resources.Check the browser
console CSP violations are also displayed in the browser developer console (F12), regardless of the mode. Use this for quick debugging.Quick deactivation in case of problems If CSP causes unexpected issues, you can immediately disable CSP by setting the value to 0 without having to modify CONTENTSECURITYPOLICY.
Gradual activation recommended
Recommended sequence: 0 (disabled) → 2 (report-only, test over several days) → 1 (actively blocking)No intermediate values
Use only the values 0, 1, or 2. Other values are treated as 0 (disabled).
Security
Does changing this parameter affect security?
Yes, this parameter has direct security implications.
Positive security aspects:
Value 1 (enabled):
Maximum XSS protection: Actively blocks unauthorized scripts
Code injection protection: Prevents execution of unwanted scripts
Real-time protection: Browser enforces CSP rules immediately
Defense-in-Depth: Additional security layer for web applications
Value 2 (Report-Only):
Safe testing: Enables CSP testing without affecting functionality
Monitoring: Identifies potential security vulnerabilities
Preparation: Detects issues before production deployment
Security Risks:
Value 0 (disabled):
No CSP protection: XSS attacks are not prevented by CSP
Increased risk: Code injection attacks are possible
Missing security layer: No CSP-based protection
Value 2 (Report-Only):
Monitoring only: Attacks are detected but not blocked
No active defense: Protection is passive, not preventive
Best Practices:
Production systems: Use Level 1 (active) for maximum security
Test/development environments: Use value 2 for secure testing
Emergencies: Use value 0 only temporarily for acute problems
Monitoring: Continue monitoring logs at value 1
Regular checks: Verify CSP configuration with every update
Recommendation: For production systems, CONTENTSECURITYPOLICYAKTIV should be set to 1, provided the CSP configuration is correct and has been tested. Report-Only mode (2) is ideal for the testing phase but should not be used permanently in production.
Practical example
Initial situation: You have successfully installed the eTASK portal and now want to activate the Content Security Policy to secure the portal against XSS attacks. However, you are unsure whether the default CSP allows all functions.
Recommended procedure:
Phase 1: Initial state (value 0)
Current configuration: - CONTENTSECURITYPOLICYAKTIV = 0 - CONTENTSECURITYPOLICY = (default value)
The portal is running without CSP protection.
Phase 2: Report-Only Test (Value 2)
Set CONTENTSECURITYPOLICYAKTIV =
2Test the portal for 3–7 days during normal operation
All functions work normally (nothing is blocked)
CSP violations are only logged
Monitoring during the test phase:
Check the application log and the browser console (F12) daily:
Example log entries for violations:
[CSP] Refused to load script from 'https://external-cdn.com/script.js'
because it violates the Content Security Policy directive: "default-src 'self'..."Result after the test phase:
No CSP violations found → Phase 3
CSP violations found → Adjust CONTENTSECURITYPOLICY, retest with value 2
Phase 3: Activation (value 1)
After successful test phase:
Set CONTENTSECURITYPOLICYAKTIV =
1CSP is now active and blocks violations
Portal is protected against XSS attacks
All legitimate functions continue to work
After activation:
HTTP header
content-security-policyare sent with every requestThe browser actively enforces CSP rules
Unauthorized scripts are blocked
The portal is more secure against XSS and code injection attacks
Monitoring remains active (browser console continues to display violations)
Emergency deactivation:
If a critical issue occurs after activation:
Immediately reset CONTENTSECURITYPOLICYAKTIV to
0The portal works again without CSP restrictions
Analyze the problem
Adjust CONTENTSECURITYPOLICY
Test again with the value
2(Report-Only)Reactivate with value
1
Result: By enabling the policy in stages using Report-Only mode, all CSP issues were identified and resolved before active blocking was enabled. The portal is now secure against XSS attacks without compromising functionality.
Recommended setting
For production systems:1(active blocking)
Reason:
Maximum security against XSS attacks
Active defense against code injection
Proven security measure
Browsers consistently enforce CSP rules
Standard in modern web security concepts
For test/development environments:2(Report-Only)
Reason:
Secure testing phase for new CSP configurations
Identification of issues without compromising functionality
Monitoring of potential security vulnerabilities
Preparation for production deployment
Recommended workflow for new installations:
Start: Value
0(disabled) for initial setupTest: Value
2(Report-Only) for 3–7 days during normal operationMonitoring: Check logs and browser console for violations
Adjustment: If violations: Adjust CONTENTSECURITYPOLICY, return to step 2
Activation: Value
1(active) after successful test phaseMaintenance: Regularly review the CSP logs
Important: Do not leave production systems permanently set to value 2 (Report-Only). This mode is intended for testing only. Value 1 is required for actual protection.