|
Warning
|
Jenkins is currently (version 2.390) not ready for this plugin to be used to enforce Content-Security-Policy for most resources in production environments. Many features, both in core and plugins, will stop working with the default rule set. At this time, this plugin is a utility for Jenkins developers, not for Jenkins administrators. |
Install this plugin to have basic reporting of Content-Security-Policy violations in Jenkins: A new link Content Security Policy Reports on the Manage Jenkins page allows administrators to review reported policy violations.
Rules can be configured on the Configure Global Security configuration screen.
This plugin serves Content-Security-Policy headers for all HTTP responses, including user-generated content (files in workspaces, archived artifacts, etc.), unless those are served from the Resource Root URL. This interacts with the default Content-Security-Policy headers set by Jenkins since 1.641 and LTS 1.625.3 for these resources as follows:
-
If this plugin is configured to only report violations (the default), both enforcing (from Jenkins) and non-enforcing (from this plugin) headers will be set.
-
If this plugin is configured to enforce rules, Jenkins’s Content-Security-Policy headers for these resources take precedence over this plugin’s.
-
If the
hudson.model.DirectoryBrowserSupport.CSPJava system property is set to the empty string (i.e., disable default protection from Jenkins), this plugin will still set the enforcing header if configured to do so.
Report issues and enhancements in the Jenkins issue tracker.
Refer to our contribution guidelines.
Licensed under MIT, see LICENSE.