Setting up Content Security Policy for 1C-Bitrix

Our company is engaged in the development, support and maintenance of Bitrix and Bitrix24 solutions of any complexity. From simple one-page sites to complex online stores, CRM systems with 1C and telephony integration. The experience of developers is confirmed by certificates from the vendor.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Showing 1 of 1 servicesAll 1626 services

Simple

~1 business day

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

B2B ADVANCE company website development
1177
Website development for FIXPER company
811
Development based on Bitrix, Bitrix24, 1C for the company Development of an Online Appointment Booking Widget for a Medical Center
564
Development based on 1C Enterprise for MIRSANBEL
747
Website development on CRM Bitrix24 for DOLBIMBY
655
Development based on Bitrix24 for the company TECHNOTORGKOMPLEKS
976

Show more works

Content Security Policy Setup for 1C-Bitrix

CSP is a header that tells the browser which sources are permitted to load resources. Configuring it for Bitrix sites is non-trivial: the core, components, and third-party widgets (analytics, chat tools, payment forms) use dozens of different domains, and an incorrect CSP will either do nothing or break functionality.

How to Implement CSP in Bitrix

The header is added at the web server level or in code. The preferred approach is via nginx:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline';" always;

Alternatively, add it in init.php via \Bitrix\Main\Context::getCurrent()->getResponse()->addHeader(), but in that case the header will not apply to static assets.

Analyzing Required Sources

Before writing the policy — use Content-Security-Policy-Report-Only mode:

add_header Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp-report-endpoint" always;

The browser will log violations without blocking anything. Monitor the devtools console for several days, collecting all domains used by your components.

Typical sources for a Bitrix site:

'unsafe-inline' for script-src — nearly unavoidable due to Bitrix inline scripts
https://mc.yandex.ru — Yandex.Metrica
https://www.google-analytics.com, https://www.googletagmanager.com — GTM/GA
https://pay.alfabank.ru, https://securepay.tinkoff.ru — payment systems (for frame-src)
https://widget.jivosite.com — Jivo and similar (for frame-src, connect-src)

Limitations Due to Inline Code

Bitrix makes extensive use of onclick attributes and inline <script> tags without nonces — this conflicts with script-src 'self' without 'unsafe-inline'. Fully removing 'unsafe-inline' requires refactoring templates and components to add nonce attributes.

A pragmatic compromise: apply a strict CSP at least to frame-src, object-src, and base-uri — these directives provide the most security benefit with the fewest conflicts:

Content-Security-Policy: frame-ancestors 'self'; object-src 'none'; base-uri 'self';

Real-World Case

A B2C store with an embedded live chat and a payment form in an iframe. After enabling CSP, the Tinkoff payment form stopped opening — the iframe was being blocked by frame-src 'self'. The payment domain securepay.tinkoff.ru had not been added to the policy. Additionally: Yandex.Metrica stopped recording session replays (WebSocket connections to mc.yandex.ru were blocked). Solution: added all required domains to the corresponding directives using Report-Only mode, then applied the strict policy.

Delivery Time

Developing and deploying CSP with a preliminary Report-Only audit — 4 to 8 hours depending on the number of third-party services on the site.

1C Bitrix presentation 1C Bitrix24 presentation 1C Enterprise presentation