Link Search Menu Expand Document Documentation Menu

Configuring Content Security Policy rules dynamically

Introduced 2.13

Content Security Policy (CSP) is a security standard intended to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in the trusted webpage context. OpenSearch Dashboards supports configuring CSP rules in the opensearch_dashboards.yml file by using the csp.rules key. A change in the YAML file requires a server restart, which may interrupt service availability. You can, however, configure the CSP rules dynamically through the applicationConfig plugin without restarting the server.


The applicationConfig plugin provides read and write APIs that allow OpenSearch Dashboards users to manage dynamic configurations as key-value pairs in an index. The cspHandler plugin registers a pre-response handler to HttpServiceSetup, which gets CSP rules from the dependent applicationConfig plugin and then rewrites to the CSP header. Enable both plugins within your opensearch_dashboards.yml file to use this feature. The configuration is shown in the following example. Refer to the cspHandler plugin README for configuration details.

application_config.enabled: true
csp_handler.enabled: true

Enable site embedding for OpenSearch Dashboards

To enable site embedding for OpenSearch Dashboards, update the CSP rules using CURL. When using CURL commands with single quotation marks inside the data-raw parameter, escape them with a backslash (\). For example, use '\'' to represent '. The configuration is shown in the following example. Refer to the applicationConfig plugin README for configuration details.

curl '{osd endpoint}/api/appconfig/csp.rules' -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'osd-xsrf: osd-fetch' -H 'Sec-Fetch-Dest: empty' --data-raw '{"newValue":"script-src '\''unsafe-eval'\'' '\''self'\''; worker-src blob: '\''self'\''; style-src '\''unsafe-inline'\'' '\''self'\''; frame-ancestors '\''self'\'' {new site}"}'

Delete CSP rules

Use the following CURL command to delete CSP rules:

curl '{osd endpoint}/api/appconfig/csp.rules' -X DELETE -H 'osd-xsrf: osd-fetch' -H 'Sec-Fetch-Dest: empty'

Get CSP rules

Use the following CURL command to get CSP rules:

curl '{osd endpoint}/api/appconfig/csp.rules'


Dynamic configurations override YAML configurations, except for empty CSP rules. To prevent clickjacking, a frame-ancestors: self directive is automatically added to YAML-defined rules when necessary.

350 characters left

Have a question? .

Want to contribute? or .