What is CSP (Content-Security-Policy) and How does it Relate to Qlik?

Sonja_Bauernfeind — Mon, 13 Apr 2026 11:34:05 GMT

What is CSP (Content-Security-Policy)?

CSP helps to prevent cross-site scripting attacks by controlling what resources a browser can request from a server.

Say a user navigates to https://www.goodpage.com.

The user's browser sends a GET request to https://www.goodpage.com, and the server in-turn responds with resources such as HTML, CSS, images, etc. In a cross-site scripting attack, the browser is tricked into making requests also to an unintended page such as https://evilpage.com. Normally, browsers implement something called the Same Origin Policy; this restricts how scripts from one origin can interact with resources requested from a different origin (a same-origin meaning coming from the same protocol, domain, and port). However, this can be circumvented in various ways that are outside the scope of this article.

What Content-Security-Policy allows a web administrator to do is send a custom set of instructions ("policies") to the browser (via the header, "Content-Security-Policy") that tells the browser to treat resources according to particular rules. For example, it's possible to tell the browser to only execute javascript resources from a specific domain, and if a browser attempts to do this it is also possible to send error reports to a specified URI. If a browser doesn't implement CSP, it will default to the Same Origin Policy.

There is a wealth of information about this available online (such as Mozilla's developer documentation) if you wish to dig further into the specific details of how to implement various Content Security Policies.

How is CSP (Content-Security-Policy) Relevant to Qlik?

Generally speaking, it's not.

CSP is implemented by the browser, and its implementation is therefore going to vary from browser to browser. If there is an issue with CSP or a general question about CSP with a specific browser version, then this is a browser issue and not a Qlik issue.

The only point where Qlik comes into the equation is if Qlik Sense has been configured to send custom response headers (instead of using a frontend web server to do this, which is a better practice). If Qlik Sense is not sending custom response headers at all, then this would be a Qlik problem. Please see How to add additional response headers in Qlik Sense for information on how to send custom response headers in Qlik Sense. Please also see Can QlikView Send Custom HTTP Response Headers? for more information on sending custom headers in Qlikview.

Environment:

Re: What is CSP (Content-Security-Policy) and How does it Relate to Qlik?

_rohitgharat — Fri, 28 Oct 2022 11:29:30 GMT

How to add content security policy in response headers?

Re: What is CSP (Content-Security-Policy) and How does it Relate to Qlik?

Sonja_Bauernfeind — Fri, 28 Oct 2022 11:32:09 GMT

Hello @_rohitgharat

If you are looking to add custom response headers in Qlik Sense (Enterprise on Windows), see How to add additional response headers in Qlik Sense.

Please note that we cannot advise on what headers to add.

All the best,
Sonja

article What is CSP (Content-Security-Policy) and How does it Relate to Qlik? in Official Support Articles

What is CSP (Content-Security-Policy) and How does it Relate to Qlik?

Environment:

Re: What is CSP (Content-Security-Policy) and How does it Relate to Qlik?

Re: What is CSP (Content-Security-Policy) and How does it Relate to Qlik?