Document empty value for CSP headerName system property (#8795)

daniel-beck · web-flow · commit e62c673f2fe1 · 2026-02-04T13:55:44.000Z
Co-authored-by: Daniel Beck &lt;daniel-beck@users.noreply.github.com&gt;
diff --git a/content/doc/book/managing/system-properties.adoc b/content/doc/book/managing/system-properties.adoc
@@ -1932,12 +1932,12 @@ properties:
   - security
   def: |
     undefined
-  since: 2.539
+  since: 2.539 (empty value since 2.542 and LTS 2.541.1)
   description: |
     Defines the name of the Content Security Policy header to enforce.
     This option takes precedence over UI configuration, Configuration as Code, and `mvn hpi:run` defaults.
-    The only possible values are `Content-Security-Policy` and `Content-Security-Policy-Report-Only`.
-    For escape hatch use, choose `Content-Security-Policy-Report-Only` to disable enforcement of too restrictive Content Security Policy.
+    The only possible values are `Content-Security-Policy`, `Content-Security-Policy-Report-Only`, and the empty string if neither header should be set.
+    For escape hatch use, either choose `Content-Security-Policy-Report-Only` to disable enforcement of too restrictive Content Security Policy (but retain the header), or set it to the empty string to disable it entirely.
     See link:/doc/book/security/csp/[the documentation].
 
 - name: jenkins.security.csp.impl.DevelopmentHeaderDecider.DISABLED
