Enable and Disable the Content Security Filter (CSP)
The CSP filter is supported in the following versions:
• 9.3.15
• 9.4.5
• 9.5.1
New Installation with the CSP Filter Enabled — Docker Compose
Set or update ENABLE_CONTENT_SECURITY_POLICY_FILTER to False under the ThingWorx Platform service in the docker-compose.yml file.
Update the required files and build.env variables from Setting Up ThingWorx Docker Builds.
|
Variable Name
|
Values
|
Defaults
|
Comments
|
|
ENABLE_CONTENT_SECURITY_POLICY_FILTER
|
True/False
|
False
|
Enable/Disable CSP filter
|
 |
CSP will be disabled in the new installation if the above environment variable is not set or the value is specifically set to False.
|
Upgrade ThingWorx to Versions that Support CSP
Upgrade ThingWorx with CSP Disabled
1. Back up the mounted web.xml from the previous deployment.
2. Upgrade ThingWorx. See Upgrading ThingWorx for the steps.
3. Set or update the ENABLE_CONTENT_SECURITY_POLICY_FILTER environment variable to False under the ThingWorx Platform service in the docker-compose.yml file.
4. Mount the new web.xml.
5. Stop the Platform container.
6. Follow the steps below to restore the Clickjack Filter configurations:
a. Copy the Clickjack Filter configurations from the backup web.xml file.
b. Paste the Clickjack Filter configurations into the newly mounted web.xml file.
7. Set or update the ENABLE_CONTENT_SECURITY_POLICY_FILTER to False under the ThingWorx Platform service in the docker-compose.yml file.
8. Restart the Platform container.
Upgrade ThingWork with CSP Enabled
1. Back up the mounted web.xml from the previous deployment.
2. Upgrade ThingWorx. See Upgrading ThingWorx for the steps.
3. Set or update the ENABLE_CONTENT_SECURITY_POLICY_FILTER environment variable to False under the ThingWorx Platform service in the docker-compose.yml file.
4. Mount the new web.xml.
5. Stop the Platform container.
6. Follow the steps below to restore the Clickjack Filter configurations:
a. Copy the Clickjack Filter configurations from the backup web.xml file.
b. Paste the Clickjack Filter configurations into the newly mounted web.xml file.
7. Set or update the ENABLE_CONTENT_SECURITY_POLICY_FILTER to True under the ThingWorx Platform service in the docker-compose.yml file.
8. Restart the Platform container.
|
|
Note the following:
• Do not replace the web.xml file with the older version. Copy the configurations manually from the back up file to the new web.xml file.
• ThingWorx will upgrade with the CSP filter disabled if the ENABLE_CONTENT_SECURITY_POLICY_FILTER environment variable flag is not specified or set to False explicitly.
• Clickjack Filter settings are migrated to CSP only when this flag is set to True, and Clickjack Filter settings are restored into the new web.xml file.
|
Enable/Disable CSP on an Existing Environment
To enable and disable CSP on an existing environment, perform the following steps:
1. Set or update the ENABLE_CONTENT_SECURITY_POLICY_FILTER environment variable to True under the ThingWorx Platform service in the docker-compose.yml file.
2. Restart the Platform container.
At ThingWorx startup, the ClickjackFilter configurations from the web.xml file are automatically migrated to CSP if all of the following conditions are satisfied:
• The CSP is turned on.
• The Clickjack Filter has been configured in the web.xml file.
• The CSP filter is not already configured by ThingWorx admin in ThingWorx Composer.