Are you a customer of Octopus Deploy? Don't raise the issue here. Please contact our support team so we can triage your feature request, making sure it's handled appropriately.
Prerequisites
The enhancement
The Need
Attackers are able to redirect the request base url for fetching of resource, stylesheets, application code if a base-uri directive is not included in the Content Security Policy.
Solution
Include a base-uri directive in the default CSP
Screenshots and Mockups
Links
More information
The base-uri directive is available to be turned on for all supported versions (2025.4, 2026.1, 2026.2 at the time of writing).
By setting the environment variable OCTOPUS__FeatureToggles__BaseUriFeatureToggle with a value of true. The default value will be none.
Additionally, the value of this can be set using the environment variable OCTOPUS__ContentSecurityPolicy__BaseUri, with a supported value, as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/base-uri
Are you a customer of Octopus Deploy? Don't raise the issue here. Please contact our support team so we can triage your feature request, making sure it's handled appropriately.
Prerequisites
The enhancement
The Need
Attackers are able to redirect the request base url for fetching of resource, stylesheets, application code if a
base-uridirective is not included in the Content Security Policy.Solution
Include a
base-uridirective in the default CSPScreenshots and Mockups
Links
More information
The
base-uridirective is available to be turned on for all supported versions (2025.4, 2026.1, 2026.2 at the time of writing).By setting the environment variable
OCTOPUS__FeatureToggles__BaseUriFeatureTogglewith a value oftrue. The default value will benone.Additionally, the value of this can be set using the environment variable
OCTOPUS__ContentSecurityPolicy__BaseUri, with a supported value, as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/base-uri