ENABLE_CSP- Set to
True. Most users can set this and ignore the rest.
CSP_EXTRA_DEFAULT_SRC- Set to a comma separated list for any custom sources that need to be added to the default CSP policy. For example if using a service like https://analytics.example.com, set the value to
https://analytics.example.comor allow an entire domain like
CSP_REPORT_ONLY- Set to
Truein order to report CSP issues without actually blocking content.
CSP_REPORT_URI- Send CSP issues to a monitoring service like GlitchTip or csplogger which are both free, open source applications that you can run yourself. That would let you get notified if a source is blocked.
If you already set your own CSP policy, for example in nginx, you may disregard this.
These changes will be implemented in kpi and we hope to contribute them to enketo express as well. I’ll post again when the changes are released. They are not final, so please let me know any comments or suggestions. Setting CSP is a security best practice and I recommend enabling this.