Enable the Content Security Policy for Real User Monitoring

Enable the Content Security Policy for Real User Monitoring

If the RUM Agent request from the client browser fails due to blocked:csp error as below, you need to enable the content security policy directive in the web server for Real User Monitoring. This page will guide you on it.

                        

What is Content Security Policy (CSP)

Content Security Policy (CSP) is an essential security standard designed to protect web applications from cross-site scripting (XSS) and other code injection attacks. However, it's important to note that a strict CSP may inadvertently block inline JavaScript and prevent the browser from sending monitoring data to the Real User Monitoring agent.

How CSP rule is configured in the application?

CSP rules can be set via the <meta> element in the page or the response HTTP header.
Quote
<meta  http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self';"/>

How to enable Content Security Policy (CSP) for Real User Monitoring?

CSP rules on a page must be configured in such a way it should allow loading and executing of RUM script. Follow the below steps to enable CSP for RUM:

1. Copy the RUM Agent URL from the script injected in your application
The RUM Agent URL is injected into your application's code. You need to copy this URL to use it in the CSP configuration.

2. Construct the content script policy to allow the copied RUM Agent URL
The content script policy is a string that specifies which sources of content are allowed to be executed within a web page. You need to construct this policy to allow the RUM Agent URL.
Here is an example of a content script policy that allows the RUM Agent URL:
Content-Security-Policy: connect-src 'self' https://your.corp.com:7443; script-src 'unsafe-inline' https://your.corp.com:7443
This policy allows connections to the https://your.corp.com:7443 URL and executes inline JavaScript code from the same URL.

3. Restart your application(if required) and check whether the real user monitoring is enabled for the site.
 After configuring the CSP, restart your application and check whether RUM is enabled for the site. You can verify this by checking the RUM dashboard.


                  New to ADSelfService Plus?

                    • Related Articles

                    • Real User Monitor (RUM) - Troubleshooting

                      If the monitor has not polled data for a long time, follow the steps below for troubleshooting: Step 1: Check the RUM Agent configuration Real User Monitor requires the RUM Agent to be installed and mapped to the Applications Manager. Refer the help ...
                    • Real User Monitoring Agent - Frequently asked questions

                      How to change Applications Manager details in RUM Agent? Open the AppServer.properties file located under <RUMAgent_Home>/conf/ directory in any text editor. Update Applications Manager hostname in apm.host key. Update Applications Manager SSL Port ...
                    • How to enable HTTPS connection between end user and RUM Agent?

                      By default end user data will be collected and sent via HTTP connection to RUM Agent. To enable HTTPS connection you should have an valid SSL Certificate (keystore file basically), not a self signed certificate. For RUM Agent version below 4.0, Open ...
                    • Self monitor Applications Manager using Real User Monitoring

                      We can monitor the Applications Manager using Real User Monitoring with a Java Script injection and this can be used to measure the Applications Manager's performance continuously. All you need is to install and setup the Real User Monitoring (RUM) ...
                    • How to get ISP and Region data in Real User Monitor?

                      The default setting of the Real User Monitor does not display ISP and region data for the end user. To obtain the data, you have the option to use a third-party Geolocation API. Currently, RUM exclusively supports APIs that provide responses in JSON ...