hi there
I have created a custom form for one of the steps in my process. In this form, it sends a request to an implemented api. When using this form, the sent request displays a csp error. How can I fix this error? The result of my search was the following page, but it was not helpful.
https://docs.camunda.org/manual/7.20/webapps/shared-options/header-security/
You are facing this because Camunda 7.19 Onwards content security Policy has been made more stringent for security reasons. The requests to your apis are probably violating camunda csp.
You can refer to this documentation for details : HTTP Header Security | docs.camunda.org
Solution :
The configuration for changing CSP are documented here Process Engine Configuration | docs.camunda.org
Look for the content-security-policy-value under camunda.bpm.webapp.header-security .
If you are using Springboot based solution then you can override the CSP by using following OS environment variable (Springboot relaxed binding) :
CAMUNDA_BPM_WEBAPP_HEADERSECURITY_CONTENTSECURITYPOLICYVALUE
If you have some other distribution then configuration steps will Vary depending on that.
The changes in CSP will depend on the error you are seeing. Most probably you need to add connect-src to ‘self’ and desired api URL host e.g. https://abc.com
base-uri 'self';
script-src $NONCE 'strict-dynamic' 'unsafe-eval' https: 'self' 'unsafe-inline';
style-src 'unsafe-inline' 'self';
default-src 'self';
img-src 'self' data:;
block-all-mixed-content;
form-action 'self';
frame-ancestors 'none';
object-src 'none';
sandbox allow-forms allow-scripts allow-same-origin allow-popups allow-downloads;
connect-src 'self' 'https://abc.com';