AG Grid
Best JavaScript Grid in the World
AG Charts
Best JavaScript Charts in the World
AG Studio
Best JavaScript Dashboard in the World
Search
Getting started
OverviewQuick StartBuilding a Dashboard
Configuring Data
Data OverviewSync Data SourcesAsync Data SourcesData TypesExpressionsSharing Data
UI Customisation
Modes & LayoutStateThemingLocalisation
AI Assistant
OverviewBuilding an AdapterConfigurationAgentic Experience
User guide
User InterfacePage SettingsData SetupWidgetsFiltersWorking with AI

JavaScript Embedded AnalyticsSecurity

AG Studio allows you to work with security tools and parameters to make your application meet your business requirements.

Content Security Policy (CSP) Copy Link

The basic information on Content Security Policy can be found on the MDN Web Documentation website and will cover the necessary information on the subject. Studio works with CSP, but some basic configuration is necessary to have your application load correctly. The minimum set of CSP rules for Studio is described below.

style-src Copy Link

Themes work by injecting CSS styles into the DOM when Studio initialises. By default this requires a style-src 'unsafe-inline' directive in your CSP.

However, you can avoid this requirement using the styleNonce Studio property as shown below. The styleNonce property should be set to a random value that changes with each page load.

const studioProperties = {
    styleNonce: "416d1177",

    // other studio properties ...
}

This sets the nonce attribute on the style tag, so Studio will now work with the CSP directive style-src 'nonce-416d1177' without the need for 'unsafe-inline'.

CSP nonces are global to a page, so when a page has multiple Studio instances, all instances must have the same styleNonce set.

img-src Copy Link

The img-src data: directive is required because Studio uses data urls to embed SVG images in CSS files.

font-src Copy Link

If you use the loadThemeGoogleFonts Studio property, fonts will be loaded from the Google font CDN, which requires the font-src fonts.gstatic.com directive.

Example Locked-Down CSP Copy Link

This example CSP below allows Studio to be run in a secure manner:

<meta http-equiv="Content-Security-Policy"
      content="default-src 'self'; style-src 'self' 'nonce-123xyz'; img-src 'self' data:">

It assumes:

  1. The application loads assets from the same server ('self')
  2. You are not using loadThemeGoogleFonts
  3. The random string passed to styleNonce on this page load is "123xyz"

Security Vulnerability Testing Copy Link

Applications may be required to pass an Application Security Test prior to being put into production. If your application is using AG Studio, you will want to make sure that AG Studio has also been tested for security vulnerabilities.

AG Studio is tested for a wide variety of security vulnerabilities using the SonarQube automatic security testing tool. SonarQube performs testing using a number of security rules, covering well-established security vulnerability standards such as CWE, SANS Top 25 and OWASP Top 10. For more details please refer to the section on Security-related Rules.

Security Contact Copy Link

At AG Grid, we take security seriously. If you believe you've discovered a vulnerability, security issue, or have any concerns related to the security of our libraries or websites, we encourage you to contact us directly.

Please email us at security@ag-grid.com with details of the issue. We appreciate responsible disclosure and will work quickly to investigate and resolve any confirmed concerns.