This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 41%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
We are trying to add Content Security Policy(CSP) for SharePoint 2013 application. CSP will not allow inline scripts and styles. Hence the total site is getting collapsed. Adding "unsafe-inline" will fix the issue, but for security reasons, we are not adding "unsafe-inline". Have to fix the issue by adding "nonce" or encrypting with "Sha" values. How can we add "nonce" or "Sha" for all the scripts that are auto-generated in the SharePoint back-end or is there any alternate solution for it other than "unsafe-inline"
This link does not have an answer: https://social.technet.microsoft.com/Forums/en-US/8587394b-9421-43cb-a13e-1596d397a78e/adding-content-security-policy-for-sharepoint-2019?forum=SP2019
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 22%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Have the same question re: securing an older SP app.
Hi @Joe Paul ,
From these 1,2,3 articles for research, it's necessary to use Nonces and Hashes to allow Inline Scripts.
You can set the HTTP Response Headers GUI in IIS Manager or add customHeaders to your web.config:
Since the content security policy is not within our scope of support, and I cannot find any official support, we provide less help on how to set up a detailed policy.
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
The solution provided is only partial, as it does not illustrate how to inject a nonse or hashtag into server-side, SharePoint generated page content. A supported answer to this question from Microsoft is requested.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 18%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Sounds like this is fixed in March 2024 update KB5002559
Improvements and fixes
This security update contains an improvement and a fix for the following nonsecurity issue in SharePoint Enterprise Server 2016: