Strict Content Security Policy (CSP) enforcement for code apps

[jordanchodakWork]

Starting on January 26, 2026, we will begin rolling out strict Content Security Policy (CSP) enforcement for Power Apps code apps, which are currently in public preview. CSP is a security feature that helps protect your apps from malicious content by restricting which external sources your app can access.

How does this affect me?

After January 30, 2026, Power Apps code apps that call assets outside of Power Apps domains will have those requests blocked by default. The code app will play, but these assets called from an external source will not load.

Please visit How to: Configure Content Security Policy (preview) - Power Apps for more information about the default CSP configuration.

What action do I need to take?

To enable your code app to call assets from external sources, you will need to allowlist any required external sources using the CSP configuration settings in the Power Platform admin center.

To prepare for this change, we recommend you configure CSP by using Power Platform admin center and follow the steps below. We recommend taking these steps if you are unsure about what your CSP configuration should be, and your code app is business critical:

1. Temporarily toggle off the Enforce content security policy setting.
2. Toggle on the Enable reporting setting.
3. Test which sources need to be added to your allowlist after the enforcement date of January 30, 2026.
4. Add the required sources to your allowlist.
5. Toggle on the Enforce content security policy setting.

If your app does not need to call external assets or is not business critical, leave CSP enforcement enabled and enable reporting mode to monitor policy violations and proactively configure CSP.