• The "Content security policy" header is not available in the application response. How to add or enable the CSP?

• Liferay DXP 7.3

• Liferay doesn't directly support the CSP as there are no OOTB configurations or UI settings available for configuring the CSP directives. Whereas, Liferay doesn't exclude the possibility to apply third-party implementations. 
• Hence, at your own sole discretion, you can enable it via the web server or theme level.
• For more information, please go through the following unofficial documents.
  • Content Security Policy (CSP) Headers using the meta tag, this article describes the procedure to enable it using the custom meta tag
  • Content Security Policy (CSP) describes CSP, mitigation steps using different use cases as examples, and so on
  • CSP Nonce support in Nginx, described the procedure at the webserver level.

Please Note: The following procedures and unofficial link involve custom implementation ideas that are beyond the scope of Liferay Support. Please exercise appropriate discretion in the use of this information. For further assistance on the implementation ideas from Liferay, please reach out to our dedicated global service team. Your sales representative is a great resource to discover the connectivity with the GS team to know more about it in detail.

• Also, Feature Request and an Epic ticket have been raised for this matter with an ongoing discussion to analyze the possibility to add support for CSP at the product level in a future version of Liferay DXP.
  • On a side note:
    • If you are looking for the same, I would encourage your team to Vote and Watch the feature request by clicking on 'Vote for this issue'. For more information, go through Requesting a New Feature or Feature Improvement article.
    • However, the exact implementation will depend on our Product Team's decisions, and the new feature can only be added to our future Liferay releases if the product team planned the feature to be included.
    • JIRA requires a different login than HelpCenter to Vote and Watch and can be self-created.
• Why certain Security Headers are not included in the HTTP Request and Response of Liferay DXP
• CSP Header