Jump to content
Welcome to our new Citrix community!

Content-Security-Policy rewrite, multiple headers

Matthew Riddler

Recommended Posts

Hello again,


I have been fighting for the last few months with getting Duo set as a second factor on one of our gateways. We were just getting a second password screen rather than a mfa selection screen.

Finally figured this out to be the Content-Security-Policy http header causing this. As the second screen that is appearing is trying to launch an iframe from a duosecurity.com url it is being blocked.

By default the version of adc that I am running has default content header enabled. I dont really want to turn this off, as I have other virtual servers that are just domain based.

I have followed the guide in this citrix doc (https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/aaa-rewrite/csp-header.html) to create a rewrite. 

I now have a Content-Security-Policy header applied with the correct details, to allow iframe from duosecurity.com, but it also has the default Content-Security-Policy header applied, so I have 2.

As the most restrictive applies my url is still on working as expected.

Is there a way to replace the default header? Potentially a rewrite rule to delete any COntent-Security-Policy headers & then let it apply the one with the correct details in it.


Any help appreciated.



Link to comment
Share on other sites

General rewrite behavior:

You could do a single rewrite REPLACE action to replace the http.req.header("Content-Security-Policy") and insert your new rewrite value.

OR you would have to bind your DELETE policy before your INSERT rewrite, and change the GOTO from END to NEXT on the policy bindings to find all matching policies.    (Though replaces is the safer option.)

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...