CSP headers configuration for SonarQube with SSL through IIS reverse proxy

Must-share information (formatted with Markdown):

  • SonarQube version Community Edition Version 8.9.6 (build 50800)

Current SonarQube manuals don’t have any recommendation on CSP headers. Our security team is concerned on missing of the following ones: Content-Security-Policy, Referrer-Policy, Feature-Policy. Could you please confirm whether its configuration on reverse proxy side (IIS in our case) would not break anything in the SonarQube server.

Hey there.

No known issues with setting these headers – but I’d encourage you to try it out in a test environment first to be safe.

We are not sure we can do a convenient testing. Another thread (Add “Content-Security-Policy” header - Suggest new features / New features - SonarSource Community) makes us think not everything may be done on our side keeping Sonarqube fully functional.

So the question is on Sonar source recommendations for the security headers. Is there any?