Follow

How To: Insert Content-Security-Policy header to HTTP response

Description

  • Headers that increase the safety of web applications
  • I would like to have CSP enabled in Silverline

Environment

  • Silverline WAF
  • Proxies/Proxy
  • HTTP Headers
  • iRules

Procedure

  1. Contact SOC for implementation of the below iRule.
    • NOTE: Provide directives and the iRule name in the ticket.
  2. SOC will add following iRule to your account:
when HTTP_RESPONSE priority 350 {
# If server has not sent any Content-Security-Policy header, add it
if {!([HTTP::header exists "Content-Security-Policy"])} {
HTTP::header insert "Content-Security-Policy" "default-src 'self'"
}
}

The above is only an example iRule that determines the origin of content to ‘self’ which means the site’s own origin (without subdomains). 

 

Directives Format

There may be different directives given for scripts, images, styles, media and others. If you would like to have the insert CSP with multiple directives, provide to SOC all directives you would like to include in this format:

“Content-Security-Policy” “policy-directive”; “policy-directive”; “policy-directive”; …

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request