Nautobot - Content Security Policy best practice deviation - Unsafe Inline

[TheBirdsNest]

Hello Community!

I am deploying Nautobot in my organisation and we have a security policy that the 'Content-Security-Policy' directive must be present in the header without 'unsafe-inline' options configured for any element.

When applying this, the styling in Nautobot is broken and I see a large amount of errors.
I can see that styles have been configured inline.

It well understood that 'unsafe-inline' should be avoided to mitigate injection attacks.

https://content-security-policy.com/unsafe-inline/

Does anyone know if something is being done about this already?

Thanks,
Lawrence

[lampwins]

@TheBirdsNest thanks for bringing this up. We are aware of the need to introduce a default Content-Security-Policy header for Nautobot but as you have found, we have some housekeeping to make that a reality. We are looking at this for later this year, given other priorities.