Enforce Content Security Policy (CSP) for customized sign-in and error pages

You can customize your Okta org by replacing the Okta domain name with your own domain name. You can customize the Content Security Policy (CSP) for a custom domain, letting you control which URLs you can link to from your customized sign-in and error pages.

HealthInsight task recommendation

Add URLs for trusted external resources in the CSP for your custom domain, such as links to images. This allows only approved content to appear and prevents the introduction of potentially malicious code to these pages.

Okta recommends Add URLs for trusted external resources in the CSP for your custom domain, and then add these links to the code in your sign-in and error pages.
Security impact High
End-user impact Moderate

Customize the CSP for a custom domain

  1. In the Admin Console, go to CustomizationsBrands.

  2. Click the brand you want to customize.
  3. To add trusted external resources for sign-in pages, click Customize in the Sign-in page section. To add trusted external resources for error pages, click Customize in the Error pages section.
  4. Click Settings.
  5. Click Edit in the Content Security Policy section.
  6. Create a list of Trusted external resources. Click Add and enter or paste the URL for a trusted external resource in the field.

    All external resources that aren't in this list are considered untrusted and aren't allowed to appear on your sign-in or error pages.

  7. Enter a Validations report URI to send report details to.
  8. Choose an Enforcement option:
    • Select Enforced to block resources that are untrusted by the CSP.
    • Select Not enforced (Report-only mode) for testing purposes only.
  9. Click Save to draft.
  10. Click Preview to review your changes.
  11. Click Publish.

Related topics

HealthInsight tasks and recommendations

Customize the Content Security Policy (CSP) for a custom domain