Skip to main content
Version: 25.2

Custom Content Security Policy headers

Introduction

HTTP security headers are an important part of a website's security posture. They protect against different types of attacks including cross-site scripting (XSS), SQL injection, and clickjacking. Object storage is external to Seqera Platform, and read and write access is strictly limited to a selected group of object storage providers. These select providers are explicitly defined in the Content Security Policy (CSP).

Supported object storage providers

Data Explorer can read from, and write to, the following object storage providers by default:

Subdomain support

If your object storage provider and Seqera deployment share the same subdomain (e.g. minio.janedoepharma.com and platform.janedoepharma.com) then communication between Seqera and provider works without additional customization. However, if your object storage provider and subdomain don't match, the CSP headers need to be customized.

Connecting additional providers

Accessing new object storage providers in Data Explorer requires updating the NGINX web server template directives to include the domain to access. To update the platform configuration, edit the nginx-unprivileged.conf.template $base_child_src directive.

map $host $base_child_src {
   default "'self' https://www.google.com https://*.$host https://*.$lower_lvl_domain https://*.amazonaws.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.oci.customer-oci.com https://*.r2.cloudflarestorage.com https://*.lakefscloud.io blob:";
}

Append the list of entries with your object storage provider domain (for example, https://*.min.io):

map $host $base_child_src {
   default "'self' https://www.google.com https://*.$host https://*.$lower_lvl_domain https://*.amazonaws.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.oci.customer-oci.com https://*.r2.cloudflarestorage.com https://*.lakefscloud.io blob: https://*.min.io";
}
info

If your object storage is accessed on a port other than port 80, include the port in the address (e.g. https://myobjectstorage.min.io:9000).