Nautobot - Content Security Policy best practice deviation - Unsafe Inline

[TheBirdsNest]

Hello Community!

I am deploying Nautobot in my organisation and we have a security policy that the 'Content-Security-Policy' directive must be present in the header without 'unsafe-inline' options configured for any element.

When applying this, the styling in Nautobot is broken and I see a large amount of errors.
I can see that styles have been configured inline.

It well understood that 'unsafe-inline' should be avoided to mitigate injection attacks.

https://content-security-policy.com/unsafe-inline/

Does anyone know if something is being done about this already?

Thanks,
Lawrence

[lampwins]

@TheBirdsNest thanks for bringing this up. We are aware of the need to introduce a default Content-Security-Policy header for Nautobot but as you have found, we have some housekeeping to make that a reality. We are looking at this for later this year, given other priorities.

[TheBirdsNest]

Hey @lampwins - I was looking to see if there has been any movement in this space as of yet?
If not I wonder if I could take a swing at it.. I'm at risk of having to shutdown our instance due to this security risk so if I can find a solution I'd like to get involved.