topic Web Access PT content-security-policy header issues in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/Web-Access-PT-content-security-policy-header-issues/m-p/277250#M105522 <P class=""><SPAN>Hello,</SPAN></P><P class=""><SPAN>we are currently building a PoC using the Mobile Access Blade. Our goal is to use a Web Access Portal to publish one of our internal web services.</SPAN></P><P class=""><SPAN>During testing, we encountered the following issue related to the CSP header. It appears that the gateway rewrites the CSP header, causing our service to stop functioning correctly because important CSP directives are missing or modified (see attached screenshot).</SPAN></P><P class=""><SPAN>The application itself is a Spring Boot application with a React frontend. The web service is configured in the Mobile Access Portal with Path Translation enabled. Due to Path Translation, when the </SPAN><SPAN>index.html</SPAN><SPAN> is accessed, a </SPAN><SPAN>&lt;script&gt;</SPAN><SPAN> tag containing the variables </SPAN><SPAN>___cp_cvpn_prefix_portal</SPAN><SPAN> and </SPAN><SPAN>___cp_cvpn_prefix_web_apps</SPAN><SPAN> is automatically injected into the page.</SPAN></P><P class=""><SPAN>However, this injected script is blocked by our CSP policies. Relaxing the policy by allowing </SPAN><SPAN>'unsafe-inline'</SPAN><SPAN> is not considered a secure option for us.</SPAN></P><P class=""><SPAN>Therefore, we would like to understand:</SPAN><BR /><SPAN>How should the configuration be adjusted so that a dynamic nonce is added to the CSP header and also applied to the injected </SPAN><SPAN>&lt;script&gt;</SPAN><SPAN> tag? Alternatively, is there a supported way to customize or preserve the CSP headers generated by the gateway?</SPAN></P><P class=""><SPAN>Do you have any recommendations or best practices on how this issue can be resolved properly?</SPAN></P><P><SPAN>Thank you!</SPAN></P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2026-05-20 23_37_15-.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34283i0A72151CB082B8AF/image-size/large?v=v2&amp;px=999" role="button" title="2026-05-20 23_37_15-.png" alt="2026-05-20 23_37_15-.png" /></span></P> Thu, 21 May 2026 08:26:33 GMT Romaryo 2026-05-21T08:26:33Z Web Access PT content-security-policy header issues https://community.checkpoint.com/t5/Firewall-and-Security-Management/Web-Access-PT-content-security-policy-header-issues/m-p/277250#M105522 <P class=""><SPAN>Hello,</SPAN></P><P class=""><SPAN>we are currently building a PoC using the Mobile Access Blade. Our goal is to use a Web Access Portal to publish one of our internal web services.</SPAN></P><P class=""><SPAN>During testing, we encountered the following issue related to the CSP header. It appears that the gateway rewrites the CSP header, causing our service to stop functioning correctly because important CSP directives are missing or modified (see attached screenshot).</SPAN></P><P class=""><SPAN>The application itself is a Spring Boot application with a React frontend. The web service is configured in the Mobile Access Portal with Path Translation enabled. Due to Path Translation, when the </SPAN><SPAN>index.html</SPAN><SPAN> is accessed, a </SPAN><SPAN>&lt;script&gt;</SPAN><SPAN> tag containing the variables </SPAN><SPAN>___cp_cvpn_prefix_portal</SPAN><SPAN> and </SPAN><SPAN>___cp_cvpn_prefix_web_apps</SPAN><SPAN> is automatically injected into the page.</SPAN></P><P class=""><SPAN>However, this injected script is blocked by our CSP policies. Relaxing the policy by allowing </SPAN><SPAN>'unsafe-inline'</SPAN><SPAN> is not considered a secure option for us.</SPAN></P><P class=""><SPAN>Therefore, we would like to understand:</SPAN><BR /><SPAN>How should the configuration be adjusted so that a dynamic nonce is added to the CSP header and also applied to the injected </SPAN><SPAN>&lt;script&gt;</SPAN><SPAN> tag? Alternatively, is there a supported way to customize or preserve the CSP headers generated by the gateway?</SPAN></P><P class=""><SPAN>Do you have any recommendations or best practices on how this issue can be resolved properly?</SPAN></P><P><SPAN>Thank you!</SPAN></P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2026-05-20 23_37_15-.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34283i0A72151CB082B8AF/image-size/large?v=v2&amp;px=999" role="button" title="2026-05-20 23_37_15-.png" alt="2026-05-20 23_37_15-.png" /></span></P> Thu, 21 May 2026 08:26:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Web-Access-PT-content-security-policy-header-issues/m-p/277250#M105522 Romaryo 2026-05-21T08:26:33Z