Content Security Policy


Content Security Policy

Secure Your Application

A Content-Security-Policy is a header which instructs a browser how to interpret & allow or deny various types of active content (images, fonts, frames, …). It helps mitigate certain types of attacks including Cross-Site-Scripting (XSS) or data injection.

content-security
content-security

Concepts

A Content-Security-Policy is a header which instructs a browser how to interpret & allow or deny various types of active content (images, fonts, frames, …). It helps mitigate certain types of attacks including Cross-Site-Scripting (XSS) or data injection.

The Agilicus Web Application Firewall allows setting and editing this header. You can see it on the ‘Define’ tab of the application. 3 macro-settings may be applied:

  • clear — remove (unset) the Content-Security-Policy
  • strict angular defaults — this is a set of defaults suitable for an Angular application compiled with AOT and subresource-integrity
  • lax angularjs defaults — this is a set of defaults suitable for an older AngularJS application (including unsafe-inline)

Once you set one of these buttons you may then edit the individual types.

In addition to the check-box settings, a set of ‘hosts’ may be configured. This can include ‘data:’ , ‘*’, ‘https:’, ‘https://example.com’, etc. For more information see Content Security Policy (CSP) in the Mozilla Web Docs.

2e72e58d image

Additional Information

Want Assistance?

The Agilicus team is here for you. The ‘Chat‘ icon in the lower left, here, or in the administrative web page, goes to our team.

Or, feel free to email support@agilicus.com