WebMail Lite 8 Documentation


Starting from v8.5.1, WebMail Lite 8 supports sending Content-Security-Policy header which helps preventing from cross-site scripting, clickjacking, code injection attacks. CSP instruct browser to load content from only allowed source.

By default, the feature is enabled and CSP header is set to unrestrictive value configured in data/settings/config.json file:

"ContentSecurityPolicy": [
    "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; img-src * data:; frame-src *",

To disable sending this header, set the value to empty string.

NB: If you're upgrading from a previous version, you may need to add the above value to data/settings/config.json file manually.