TeamCity On-Premises 2020.2 Help

Content Security Policy in TeamCity

TeamCity implements additional HTTP security with the Content-Security-Policy (CSP) header.

The header prohibits TeamCity pages from downloading external resources, with some whitelisted exceptions. Downloading from non-whitelisted resources will be blocked.

In some setups, you may need to allow downloading external resources. For example, when using analytics tools or when integrating TeamCity with external services via a plugin.

As a plugin developer, you can provide CSP directives via the ContentSecurityPolicyConfig OpenAPI interface.

Changing CSP Header Value

As a server administrator, you can change the CSP header value via the internal properties.

  • For TeamCity administration pages:

  • For other TeamCity pages:


Adding Google Analytics via internal properties

To allow Google Analytics you must change the values of the following directives in the CSP header:

  • connect-src to allow loading Google Analytics URLs:

    connect-src 'self' ws: wss:
  • img-src to allow loading images:

    img-src 'self' data:;
  • script-src to allow loading JavaScript:

    script-src 'self' 'unsafe-inline' 'unsafe-eval'

The internal properties must be set as follows:

# For TeamCity administration pages: teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; connect-src 'self' ws: wss: # For other pages: teamcity.web.header.Content-Security-Policy.protectedValue=frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; connect-src 'self' ws: wss:
Last modified: 05 February 2021