1

Currently Dynamics 365 Finance and operation is not supporting Content Security Policy (CSP), so Content Security Policy (CSP) Header Not Set Affected Servers (URLs): like https://...-prod.operations.dynamics.com/

Content Security Policy (CSP) is an additional layer of security that helps detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

These attacks are used for everything from data theft to defacing websites or spreading malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved content sources that browsers are allowed to load on this page - covered types are JavaScript, CSS, HTML frames, fonts, images, and embeddable objects such as Java applets, ActiveX, audio, and video files.

Setting a CSP header for the affected servers, including https://...-prod.operations.dynamics.com, is a best practice for enhancing the security of your application. It helps to prevent XSS, clickjacking, and other types of attacks by controlling what content is allowed to be loaded and executed by the browser. Implement it carefully, starting with a report-only mode, and adjust as needed to ensure it does not interfere with legitimate functionality.

It should be tested, monitored and adjusted.

Monitor CSP reports and adjust the policy as needed to ensure that all legitimate content is allowed while blocking potentially harmful content.

Once you are confident that the policy is correct, remove the Report-Only and enforce the policy.


Please for this idea to that Microsoft considers support for Content Security Policy (CSP) in coming update of Dynamics 365 Finance and operation.

Thanks in advance.

STATUS DETAILS
New