Workaround: Working Swagger Docs for Store API in Shopware 6

When extending the Shopware Store API, it’s convenient to browse the generated Swagger docs and use a mock server (e.g., Prism). However, in a default Shopware 6 setup the Store API Swagger page can be blocked by Content Security Policy (CSP) settings.

This short note shows the workaround we used for dev/test environments.

Problem

Opening the Store API Swagger UI results in CSP errors such as:

Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
.../bundles/framework/swagger-ui-bundle.js ("script-src")
.../bundles/framework/swagger-ui-standalone-preset.js ("script-src")

Workaround: relax CSP for Store API context

Shopware configures CSP via dependency injection parameters depending on context. You can override these parameters in your installation (dev/test) to allow the Swagger UI to load required resources.

Example (services.xml), loosen script-src for the specific context:

<parameters>
  <parameter key="shopware.security.content_security_policy.reporting.enabled">false</parameter>
  <!-- Adapt your script-src/style-src to allow swagger assets in dev -->
</parameters>

Adjust the values to match your project and Shopware version. The key point is: apply this only in non‑production systems where you need UI access.

Tip: Mocking with Prism

For quick testing against the Store API, Prism can generate a mock server from your Swagger/OpenAPI files:

• https://stoplight.io/open-source/prism/

Run Prism against your OAS file and experiment with requests before wiring the real backend.

Notes

• Keep CSP strict in production; this workaround is for local/dev usage.
• Rebuild caches/containers after changing DI parameters.
• Check the Shopware docs for the current CSP parameter names as they may change across versions.