Docs Developer Site
Developer Docs Xp Next Config Admin

Admin Configuration

Contents

This section describes configuration files related to the XP admin console and standard admin tools

Admin

XP_HOME/config/com.enonic.xp.admin.cfg

General settings for /admin.

Disable Content Security Policy for site preview
site.preview.contentSecurityPolicy=
Allow scripts from maps.googleapis.com
site.preview.contentSecurityPolicy=default-src 'self'; base-uri 'self'; form-action 'self'; script-src 'self' maps.googleapis.com; object-src 'none'; img-src * data:; style-src * 'unsafe-inline'; font-src * data:
site.preview.contentSecurityPolicy

Defines default value for Content-Security-Policy header for the site engine - when running in Admin Context. The policy is applied in preview and inline mode - if the page controllers do not specify a Content-Security-Policy header itself. Default: default-src 'self'; base-uri 'self'; form-action 'self'; script-src 'self'; object-src 'none'; img-src * data:; style-src * 'unsafe-inline'; font-src * data:

XP Dashboard

XP_HOME/config/com.enonic.xp.app.main.cfg

Content Security Policy

Disabling or changing built-in Content Security Policy is generally NOT RECOMMENDED. You may need to tweak CSP settings only if you are building a Dashboard widget where you want to allow references to external resources (for example, a YouTube video) or other potentially unsafe (from the CSP point of view) actions.

You can provide your own header for Content Security Policy using contentSecurityPolicy.header property. Note, that if you provide your own header, you should include all necessary directives, as the default headers (self) will not be added.

Customized Content Security Policy for XP Dashboard
contentSecurityPolicy.header=default-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://*.youtube.com

To completely turn off Content Security Policy for the Dashboard, set contentSecurityPolicy.enabled property to false.

Disabled Content Security Policy for XP Dashboard
contentSecurityPolicy.enabled=false

Applications app

XP_HOME/config/com.enonic.xp.app.applications.cfg

Disable installation of apps from UI
readonlyMode = true
readonlyMode

Activate read only mode to prevent installation and stop/start of applications via UI. Default: false

Jetty

XP_HOME/config/com.enonic.xp.web.jetty.cfg

Selected options to configure the embedded servlet engine Jetty

Sample Jetty configuration
host =
sendServerHeader = false

# Connection
timeout = 60000

# HTTP settings
http.enabled = true
http.port = 8080
http.requestHeaderSize = 32768
http.responseHeaderSize = 32768

# Session
session.timeout = 60
session.cookieName = JSESSIONID

# Compression
gzip.enabled = true
gzip.minSize = 23

# Logging
log.enabled = false
log.file = ${xp.home}/logs/jetty-yyyy_mm_dd.request.log
log.append = true
log.extended = true
log.timeZone = GMT
log.retainDays = 31

# Thread Pool
threadPool.maxThreads = 200
threadPool.minThreads = 8
threadPool.idleTimeout = 60000

# Websocket
websocket.idleTimeout = 300000
host

should only be set this if host name (or ip) needs to be fixed.

sendServerHeader

True to send server name in header. Default: false.

timeout

specifies socket timeout for connections in ms.

http.enabled

true enables HTTP connections. Default: true.

http.port

specifies http port number to use. Default: 8080.

http.requestHeaderSize

Maximum request header size. Default: 32K.

http.requestHeaderSize

Maximum response header size. Default: 32K.

session.timeout

Session timeout (when inactive) in minutes. Default: 60.

session.cookieSameSite

Specifies SameSite flag for session cookie. Can be Lax, None, Strict or unspecified. Default: Lax.

session.cookieAlwaysSecure

If true, forces session cooke Secure flag even for HTTP connections. Default: false.

session.cookiename

Cookie name to use for sessions. Default: JSESSIONID.

gzip.enabled

Enables GZIP compression for responses. Default: false.

gzip.minsize

Minimum number of bytes in response to consider compressing the response. Default: 23.

log.enabled

Turns on request logging. Default: false.

log.file

Request log file location. Default: ${xp.home}/logs/jetty-yyyy_mm_dd.request.log.

log.append

append to existing file, or create new one when started. Default: true.

log.extended

turns on extended logging format. Default: true.

log.timeZone

Timezone to display timestamp in. Default: GMT.

log.retainDays

Number of days to retain the logs. Default: 31.

threadPool.maxThreads

Maximum number of threads. Default: 200.

threadPool.minThreads

Minimum number of threads. Default: 8.

threadPool.idleTimeout

Thread idle timeout (in milliseconds). Default: 60000.

websocket.idleTimeout

The time (in milliseconds) that a websocket may be idle before closing. Default: 300000.

Setting session.cookieAlwaysSecure to true would make session-involved login on HTTP connections impossible.

Contents

Contents