Hello,

we are currently building a PoC using the Mobile Access Blade. Our goal is to use a Web Access Portal to publish one of our internal web services.

During testing, we encountered the following issue related to the CSP header. It appears that the gateway rewrites the CSP header, causing our service to stop functioning correctly because important CSP directives are missing or modified (see attached screenshot).

The application itself is a Spring Boot application with a React frontend. The web service is configured in the Mobile Access Portal with Path Translation enabled. Due to Path Translation, when the index.html is accessed, a <script> tag containing the variables ___cp_cvpn_prefix_portal and ___cp_cvpn_prefix_web_apps is automatically injected into the page.

However, this injected script is blocked by our CSP policies. Relaxing the policy by allowing 'unsafe-inline' is not considered a secure option for us.

Therefore, we would like to understand:
How should the configuration be adjusted so that a dynamic nonce is added to the CSP header and also applied to the injected <script> tag? Alternatively, is there a supported way to customize or preserve the CSP headers generated by the gateway?

Do you have any recommendations or best practices on how this issue can be resolved properly?

Thank you!