CSP settings for DevUI and Swagger #49001

Stwissel · 2025-07-20T11:01:40Z

Stwissel
Jul 20, 2025

I'm locking down an application with a route filter that sets a restrictive Content-Security-Policy (CSP) of default-src: self.

As a side effect both the DevUI and the SwaggerUI won't load due to CSP violations.

I wonder what settings are actually needed for DevUI and Swagger?

Answered by Stwissel

Jul 22, 2025

To answer my own question....
You need this CSP:

default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline' blob:; connect-src 'self' https://hcl-software.okta.com http://localhost:8090; report-uri /api/csp-violation-report

Works for both the devUI and Swagger UI.

View full answer

@MikeEdgar · 2025-07-20T11:01:42Z

quarkus-bot[bot]
bot Jul 20, 2025

/cc @MikeEdgar (swagger-ui), @cescoffier (devui), @phillip-kruger (devui,swagger-ui)

0 replies

Stwissel · 2025-07-22T11:24:35Z

Stwissel
Jul 22, 2025
Author

To answer my own question....
You need this CSP:

default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline' blob:; connect-src 'self' https://hcl-software.okta.com http://localhost:8090; report-uri /api/csp-violation-report

Works for both the devUI and Swagger UI.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CSP settings for DevUI and Swagger #49001

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

CSP settings for DevUI and Swagger #49001

Uh oh!

Stwissel Jul 20, 2025

Replies: 2 comments

Uh oh!

quarkus-bot[bot] bot Jul 20, 2025

Uh oh!

Stwissel Jul 22, 2025 Author

Stwissel
Jul 20, 2025

quarkus-bot[bot]
bot Jul 20, 2025

Stwissel
Jul 22, 2025
Author