Task #12560
Updated by Najmi Pasarudin almost 3 years ago
The "Content-Security-Policy" header is designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including Cross-Site Scripting. It is important to set the header value correctly, in a way that will not prevent proper operation of the web site. For example, if the header is set to prevent execution of inline JavaScript, the web site must not use inline JavaScript in its pages.
Solution provided by LGMS :
Configure the application server to send the "Content-Security-Policy" header.
It is recommended for the policy to include a 'default-src' or 'script-src' directive to prevent inline scripts from running, as well as blocking the use of eval().
The Content-Security-Policy should include a 'default-src' policy directive, which would serve as a fallback for other resource types when they don't have policies of their own.
Kindly refer to the references for more examples on common use cases.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
'Affected URL:
https://10.10.55.34:9444/bsn-admin-uat/*
Please test using web server URL:
http://10.10.95.121:8080/bsn-admin-uat/
Solution provided by LGMS :
Configure the application server to send the "Content-Security-Policy" header.
It is recommended for the policy to include a 'default-src' or 'script-src' directive to prevent inline scripts from running, as well as blocking the use of eval().
The Content-Security-Policy should include a 'default-src' policy directive, which would serve as a fallback for other resource types when they don't have policies of their own.
Kindly refer to the references for more examples on common use cases.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
'Affected URL:
https://10.10.55.34:9444/bsn-admin-uat/*
Please test using web server URL:
http://10.10.95.121:8080/bsn-admin-uat/