Content Security Policy

Concepts

A Content-Security-Policy is a header which instructs a browser how to interpret & allow or deny various types of active content (images, fonts, frames, …). It helps mitigate certain types of attacks including Cross-Site-Scripting (XSS) or data injection.

The Agilicus Web Application Firewall allows setting and editing this header. You can see it on the ‘Define’ tab of the application. 3 macro-settings may be applied:

  • clear — remove (unset) the Content-Security-Policy
  • strict angular defaults — this is a set of defaults suitable for an Angular application compiled with AOT and subresource-integrity
  • lax angularjs defaults — this is a set of defaults suitable for an older AngularJS application (including unsafe-inline)

Once you set one of these buttons you may then edit the individual types.

In addition to the check-box settings, a set of ‘hosts’ may be configured. This can include ‘data:’ , ‘*’, ‘https:’, ‘https://example.com’, etc. For more information see Content Security Policy (CSP) in the Mozilla Web Docs.

Additional Information