Configuring Content security policy headers - Platform - BlueCat Gateway

Configuring Content security policy headers - Platform - BlueCat Gateway - 25.3.0

Gateway Administration Guide

ft:locale

en-US

Product name

BlueCat Gateway

Version

25.3.0

Within Security settings in the General Configuration page, you can configure content-security-policy response headers. The content-security-policy header is an HTTP response header that lets website administrators control the resources loaded for a given web page. It is part of the Content Security Policy (CSP) specification, an added security layer that helps detect and mitigate cross-site scripting (XSS) attacks, data injection attacks, and click-jacking.

A policy consists of a series of policy directives for different resource types or policy areas. The Content Security Policy specification supports a wide variety of policy restrictions. By default, Gateway includes a style-src directive that prevents style elements from applying inline styles in browsers.

For more information on Content Security Policy, see Content Security Policy (CSP) on the Mozilla website.
For more details on the syntax and format of a content-security-policy header, see Content-Security-Policy (with hyphens) on the Mozilla website.

To configure content security response headers in Gateway:

To configure Gateway security response headers:

Open the General configuration window, then expand the Security section. (Click Settings at the bottom of the navigator on the left, expand Configurations, then click General configuration. Click Security to scroll to the Security section.)

The Content security policy section is at the top of the Security section.
Configure the Content security policy header settings as desired.

For more details, see Content security policy headings settings below
When you're done, click Save changes.

To cancel your changes, click Cancel.

Content security policy header settings

The Content security policy section has the following settings.

Setting Description

Setting	Description
Policy	A valid content-security-policy directive. By default, the policy is the following: `style-src 'self' 'unsafe-inline'`
Report URI	A content security policy `report-uri` directive. This directive tells the user agent where to report attempts that violate the Content Security Policy. Violation reports consist of JSON documents sent via an HTTP POST request to the specified Report URI.
Report only	(This checkbox appears only when you enter a valid Report URI.) (Optional) If ticked, Gateway only reports content security violations and does not enforce them. Ticking this checkbox enables the `Content-Security-Policy-Report-Only` response header. This option lets you test policies by monitoring but not enforcing their effects. Important: When you're satisfied that your policies are working as intended, make sure you clear this checkbox to start enforcing them.

Policy

A valid content-security-policy directive.

By default, the policy is the following:

style-src 'self' 'unsafe-inline'

Report URI

A content security policy report-uri directive.

This directive tells the user agent where to report attempts that violate the Content Security Policy. Violation reports consist of JSON documents sent via an HTTP POST request to the specified Report URI.

Report only

(This checkbox appears only when you enter a valid Report URI.)

(Optional) If ticked, Gateway only reports content security violations and does not enforce them.

Ticking this checkbox enables the Content-Security-Policy-Report-Only response header. This option lets you test policies by monitoring but not enforcing their effects.

Important: When you're satisfied that your policies are working as intended, make sure you clear this checkbox to start enforcing them.