Customize the Content Security Policy (CSP) for a custom domain

Early Access release. See Manage Early Access and Beta features.

You can customize the Content Security Policy (CSP) for a custom domain. This feature lets you control which URLs you can link to from your customized sign-in and error pages. You add URLs for trusted external resources, such as links to images, and then add these links to the code in your sign-in and error pages.

The default CSP provided by Okta can break customizations.

Customize the CSP

  1. In the Admin Console, go to CustomizationsBranding.

  2. To add trusted external resources for sign-in pages, click Edit in the Sign-in page section. To add trusted external resources for error pages, click Edit in the Error pages section.
  3. Click Settings.
  4. Click Edit in the Content Security Policy section.
  5. Create a list of Trusted external resources. Click Add and enter or paste the URL for a trusted external resource in the field.

    All external resources that aren't in this list are considered untrusted and aren't allowed to appear on your sign-in or error pages.

  6. Enter a Validations report URI to send report details to.
  7. Choose an Enforcement option:
    • Select Enforced to block resources that are untrusted by the CSP.
    • Select Not enforced (Report-only mode) for testing purposes only.
  8. Click Save to draft.
  9. Click Preview to review your changes.
  10. Click Publish.

Related topics

Configure a custom domain

Customize your sign-in page

Customize an error page

Configure general customization settings