Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Create a CSP (Content-Security-Policy) rule

 

Information

 

Summary:

How to create a content security policy rule on the LoadMaster

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

LoadMaster administrator would like to add Content-Security-Policy headers for Exchange traffic.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks

These attacks are used for data theft, site defacement, and malware distribution.
Resolution:

Create a CSP rule to mitigate potential malicious requests:

One example would be an "Add Header" rule.     

  • Header Field to be Added: Content-Security-Policy
  • Value of Header Field to be Added: default-src 'self' data: 'unsafe-inline';img-src data: https:;script-src 'self' 'unsafe-inline' 'unsafe-eval'

       Once the rule has been created, apply it to the desired VS.
       Advanced Properties > HTTP Header Modifications > Response Rules > Add Rule.

Workaround:  
Notes: CSP-Evaluator

This is Just an Article to show how CSP works, this is not a Best Practice or recommended setting by Loadmaster Support. These values are tested with Exchange Lab 2016 and Exchange 2019. For best practice ask Microsoft Support to provide CSP details.

The CSP does not come out of the box, as there are so many options that can be set/configured. Users can customize their headers as required.
 
As mentioned, we can create content rules to add the required header as needed in your environment to suit your needs.
https://content-security-policy.com/

Was this article helpful?
0 out of 1 found this helpful

Comments

Avatar

Gary Westsall

In my case the listed CSP header values break OWA/ECP.

 

Thanks for any assistance regarding this issue.

0

Avatar

Akshit Bhambota

Hey Gary,

Can you confirm for me what version of Exchange you are using along with the Build Number?
As I tested this with my Exchange 2019 and Exchange 2016, can you show me the errors or tell us about the error you encountered with the CSP ruleset?

0

Avatar

Gary Westsall

Exchange Builds

Retiring 15.1 builds

It seem to be getting stuck at my OWA\ECP MFA solution.

ADSelfservice MFA for OWA.

I previously had to add a Content Matching Rule to allow ADSelfservice MFA it to work with OWA.

Thanks Gary

Current error with CSP header modifications.

0

Avatar

Akshit Bhambota

Hey,
We have updated the CSP values can you try this?
default-src 'self' data: 'unsafe-inline';img-src data: https:;script-src 'self' 'unsafe-inline' 'unsafe-eval'


or

script-src 'self'; object-src 'self'

Add Security Header: https://support.kemptechnologies.com/hc/en-us/articles/9328173537805-Add-Security-Headers

0