Customize the Content Security Policy for apps

Live on cloud • All plans

Admins can now customize the Content Security Policy (CSP) that Retool enforces on apps. Retool applies a strict default policy that restricts which origins an app can load scripts, fonts, images, and other resources from. You can now extend that policy org-wide to allow the additional origins your apps need, or tighten the defaults further.

For example, if custom JavaScript in an app loads a charting library from a CDN such as https://cdn.example.com, the default script-src 'self' policy blocks the script and the app fails to render it. You can now add that origin to script-src so the app can load it without loosening the policy for any other resource.

Configure rules in Settings > App security > Content Security Policy. Changes apply to every app in your organization and are recorded in your audit logs.

For more information, refer to Customize the Content Security Policy for apps.