TeamCity
 
You are viewing the documentation for an earlier version of TeamCity.

Content Security Policy in TeamCity

Last modified: 23 July 2020

TeamCity implements additional HTTP security with the Content-Security-Policy (CSP) header.

The header prohibits TeamCity pages from downloading external resources, with some whitelisted exceptions. Downloading from non-whitelisted resources will be blocked.

In some setups, you may need to allow downloading external resources. For example, when using analytics tools or when integrating TeamCity with external services via a plugin.

As a plugin developer, you can provide CSP directives via the ContentSecurityPolicyConfig OpenAPI interface.

As a server administrator, you can change the CSP header value via the internal properties:

  • for TeamCity administration pages:

    teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=<full_header_value>
  • for other TeamCity pages:

    teamcity.web.header.Content-Security-Policy.protectedValue=<full_header_value>