Configure Content Security Policy¶
Customer Managed Applies to customer-managed instances of Alation
Available from 2026.1
Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. Alation allows you to configure CSP headers to control which external resources can be loaded and executed by browsers when users access your Alation instance.
For more information about Content Security Policy, see MDN Web Docs - Content Security Policy (CSP)
CSP Modes¶
Alation supports two CSP modes:
Permissive CSP (Default)
By default, Alation uses a permissive CSP that allows resources from any source. This mode ensures maximum compatibility with third-party tools and embedded content but only restricts framing to the same origin and leaves most script and resource loading unrestricted.
The default permissive CSP header is:
default-src * 'unsafe-eval' 'unsafe-inline' blob: data:; frame-ancestors 'self'
Restrictive CSP with Custom Domains
When custom CSP is enabled, Alation uses a more restrictive policy that only allows resources from trusted sources. This improves security by limiting which domains can serve scripts, styles, images, and other content to your users.
The restrictive CSP includes pre-configured access to common Alation integrations:
Product Analytics
Feature Flag Management
Google services (authentication, storage)
Tableau (connector integration)
You can add additional trusted domains to the policy to support your organization’s specific integrations.
Enable Custom CSP¶
Important
Enabling custom CSP applies a more restrictive security policy. Before you enable custom CSP, identify all third-party domains that your deployment requires and ensure they are allowed so it functions correctly.
Important
The following changes require you to restart nginx. This means that your Alation instance will be unavailable for a short period of time. We recommend that you make these changes during off-peak hours.
To enable custom CSP:
Use SSH to connect to the Alation server.
Enter the Alation shell using the following command:
sudo /etc/init.d/alation shell
Enable custom CSP by setting the
nginx.csp_custom_enabledparameter toTrue:alation_conf nginx.csp_custom_enabled -s True
Deploy the changes by running the following command:
alation_action deploy_conf_nginxRestart nginx:
alation_action stop_nginx alation_action start_nginx
Add Custom Domains¶
If your organization uses third-party tools or services that need to load resources on Alation pages, you can add those domains to the CSP allow list.
Important
The following changes require you to restart nginx. This means that your Alation instance will be unavailable for a short period of time. We recommend that you make these changes during off-peak hours.
To add custom domains to the CSP:
Use SSH to connect to the Alation server.
Enter the Alation shell using the following command:
sudo /etc/init.d/alation shell
Ensure custom CSP is enabled:
alation_conf nginx.csp_custom_enabledIf the value is
False, enable it first (see Enable Custom CSP).Add your custom domains using the
nginx.csp_customparameter. Provide a space-separated list of domains:alation_conf nginx.csp_custom -s 'https://bi-tool.example.com https://analytics.example.com'
Note
Each domain must include the protocol (
https://orhttp://).Wildcard subdomains are supported (for example,
https://*.example.com).Port numbers can be specified if needed (for example,
https://example.com:8443).
Deploy the changes by running the following command:
alation_action deploy_conf_nginxRestart nginx:
alation_action stop_nginx alation_action start_nginx
View Current CSP Configuration¶
To view the current CSP configuration:
Use SSH to connect to the Alation server.
Enter the Alation shell using the following command:
sudo /etc/init.d/alation shell
Check if custom CSP is enabled:
alation_conf nginx.csp_custom_enabledView the list of custom domains:
alation_conf nginx.csp_custom
Disable Custom CSP¶
To revert to the default permissive CSP:
Use SSH to connect to the Alation server.
Enter the Alation shell using the following command:
sudo /etc/init.d/alation shell
Disable custom CSP:
alation_conf nginx.csp_custom_enabled -s False
Deploy the changes and restart nginx:
alation_action deploy_conf_nginx alation_action stop_nginx alation_action start_nginx
Troubleshooting¶
If resources fail to load after enabling custom CSP, check your browser’s developer console for CSP violation messages. CSP violation messages indicate which domains need to be added to the allow list.
Common symptoms of CSP violations include:
Third-party widgets or embeds not loading
Authentication with external identity providers failing
Analytics or monitoring tools not functioning
Custom JavaScript or styling not applying
To resolve these issues, identify the blocked domain from the browser console error message and add it to the nginx.csp_custom parameter.
CSP Directive Reference¶
When custom CSP is enabled, the following directives are configured:
Directive |
Description |
|---|---|
|
Fallback for other directives. Set to |
|
Controls JavaScript sources. Allows |
|
Controls CSS sources. Allows |
|
Controls image sources. Allows |
|
Controls font sources. Allows |
|
Controls fetch, XMLHttpRequest, and WebSocket destinations. Allows |
|
Controls iframe sources. Allows |
|
Controls plugin sources. Set to |
|
Controls base element URLs. Set to |
|
Controls which domains can embed Alation pages. See Set Frame Ancestors to Prevent Clickjacking Attacks for configuration. |