Create a CSP (Content-Security-Policy) rule
Information
Summary: |
How to create a content security policy rule on the LoadMaster |
Environment: |
Product: LoadMaster Version: Any Platform: Any Application: Any |
Question/Problem Description: |
LoadMaster administrator would like to add Content-Security-Policy headers for Exchange traffic. |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: | Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for data theft, site defacement, and malware distribution. |
Resolution: |
Create a CSP rule to mitigate potential malicious requests:
Once the rule has been created, apply it to the desired VS. |
Workaround: | |
Notes: |
CSP-Evaluator This is Just an Article to show how CSP works, this is not a Best Practice or recommended setting by Loadmaster Support. These values are tested with Exchange Lab 2016 and Exchange 2019. For best practice ask Microsoft Support to provide CSP details. The CSP does not come out of the box, as there are so many options that can be set/configured. Users can customize their headers as required. As mentioned, we can create content rules to add the required header as needed in your environment to suit your needs. https://content-security-policy.com/ |
Comments
Hey Gary,
Can you confirm for me what version of Exchange you are using along with the Build Number?
As I tested this with my Exchange 2019 and Exchange 2016, can you show me the errors or tell us about the error you encountered with the CSP ruleset?
Exchange Builds
Retiring 15.1 builds
It seem to be getting stuck at my OWA\ECP MFA solution.
ADSelfservice MFA for OWA.
I previously had to add a Content Matching Rule to allow ADSelfservice MFA it to work with OWA.
Thanks Gary
Current error with CSP header modifications.
Hey,
We have updated the CSP values can you try this?
default-src 'self' data: 'unsafe-inline';img-src data: https:;script-src 'self' 'unsafe-inline' 'unsafe-eval'
or
script-src 'self'; object-src 'self'
Add Security Header: https://support.kemptechnologies.com/hc/en-us/articles/9328173537805-Add-Security-Headers
Gary Westsall
In my case the listed CSP header values break OWA/ECP.
Thanks for any assistance regarding this issue.