Forum Discussion

thridev's avatar
Occasional Visitor
2 years ago

Swagger UI requires 'unsafe-eval' or 'unsafe-inline' as part of CSP header load

We are using the following CSP header in our application: "script-src https: 'self';"

However, when using the above CSP header, Swagger UI fails to load with an error in the console saying that Swagger UI requires either unsafe-eval, unsafe-inline, sha or nonce in the script-src CSP header.

When adding them, "script-src https: 'unsafe-eval' 'unsafe-inline' 'self';", the Swagger UI works fine, but this deletes the purpose of hardening security using CSP headers.

No RepliesBe the first to reply