Configuring Content security policy headers - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Product name
BlueCat Gateway

Within Security settings in the General Configuration, you can configure content-security-policy response headers. The content-security-policy header is an HTTP response header that lets website administrators control the resources loaded for a given web page. It is part of the Content Security Policy (CSP) specification, an added security layer that helps detect and mitigate cross-site scripting (XSS) attacks, data injection attacks, and click-jacking.

A policy consists of a series of policy directives for different resource types or policy areas. The Content Security Policy specification supports a wide variety of policy restrictions. By default, Gateway includes a style-src directive that prevents style elements from applying inline styles in browsers.

To configure content security response headers in Gateway:

To configure Gateway security response headers:

  1. Open the General configuration window, then expand the Security section. (Click the Navigator button if necessary, then click Configurations > General configuration. Click Security at the bottom to expand the Security settings.)

    The Content security policy section is at the top of the Security section.

  2. Under Content security policy, configure the desired content-security-policy settings:

    • In Policy, enter a valid content-security-policy directive.

      By default, the policy is the following:

      style-src 'self' 'unsafe-inline'
    • In Report URI, specify a content security policy report-uri directive.

      This directive tells the user agent where to report attempts that violate the Content Security Policy. Violation reports consist of JSON documents sent via an HTTP POST request to the specified Report URI.

    • (Optional) To only report content security violations and not enforce them, select the Report Only checkbox. (This setting appears only when you enter a valid Report URI.)

      Doing so enables the Content-Security-Policy-Report-Only response header. This option lets you test policies by monitoring but not enforcing their effects.

      Note: When you're satisfied that your policies are working as intended, make sure you clear this checkbox to start enforcing them.
  3. When you're done, click Save.

    To cancel your changes, click Cancel.