Jump to content

Change the default Content-Security-Policy

Recommended Posts


When I add our CSP Header Rewrite Policy, it works on all pages except Access Gateway and AAA authentication vServers.

For CAG and AAA vServer I have to enable the Default CSP Header under AAA Parameters: https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/aaa-rewrite/csp-header.html

Is there a way to change the default csp header with our entries? the default header has no entry for frame-ancestors for example.

Thanks and Cheers,

Link to comment
Share on other sites

  • 3 weeks later...
  • 3 months later...


we can reproduce this behavior with Default CSP Header ENABLED under AAA Parameters: https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/aaa-rewrite/csp-header.html

We bind AAA-Response and Response Rewrite-Policies to the AAA Auth-Server like in the Netscaler docs described. W use this with 401-based authentication, but always get the following default CSP header values BEFORE AUTHENTICATION:

default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data: http:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self' vmware-view:; child-src 'self'

We want to rewrite this default values with custom values. Any idea?

2024-06-12 11_04_17-Erweiterung_ (HTTP Header Live) - HTTP Header Live Main – Mozilla Firefox.png

Link to comment
Share on other sites

Refer to this one https://www.citrix.com/blogs/2021/08/31/citrix-tips-scoring-an-a-with-http-headers-and-citrix-gateway/

add rewrite action REW_ACT-CONTENT_SECURITY_POLICY insert_http_header Content-Security-Policy "\"frame-ancestors \'self\'\""

I can't seem to find the article now, but this is what I'm running in production for a couple of environments:

add rewrite action rw_act_insert_Content_security_policy-service.customer.com insert_http_header Content-Security-Policy "\"default-src \'self\'; script-src https://www.google.com/recaptcha/api.js https://www.gstatic.com/recaptcha/releases/ https://service.customer.com \'self\' https://service.customer.com \'unsafe-inline\' \'unsafe-eval\'; connect-src \'self\'; img-src http://localhost:* https://service.customer.com \'self\' data: http: https:; style-src \'self\' \'unsafe-inline\'; font-src \'self\' data:; frame-src https://www.google.com/recaptcha/ com.citrix.agmacepa://* receiver://* citrixng://* com.citrix.nsgclient://* vmware-view:// nsgcepa://* application://* \'self\'; child-src \'self\' com.citrix.agmacepa://* receiver://* citrixng://* com.citrix.nsgclient://* vmware-view:// nsgcepa://nsgcepa application://*; form-action \'self\'; object-src \'none\'; report-uri /nscsp_violation/report_uri\""
add rewrite policy rw_pol_insert_Content_security_policy-service.customer.com TRUE rw_act_insert_Content_security_policy-service.customer.com

Just replace the service.customer.com with the Gateway FQDN (for Gateway use-case).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...