Set Content-Security-Policy by default for API Developer Portal 3.5

Idea created by Mark.ODonohue Employee on Jun 27, 2018
    New
    Score2
    • EuniceTey82357310
    • Mark.ODonohue

    A security requirement came up in one clients setup.   The penetration test required API Portal server to return a "Content-Security-Policy" header.   The default API Portal install does not have one. 

     

    Some references : 

    https://www.content-security-policy.com/ 

    https://blog.100tb.com/implementing-content-security-policy-in-apache  

    https://stackoverflow.com/questions/30280370/how-does-content-security-policy-work  

    https://developers.google.com/web/fundamentals/security/csp/  

    https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP  

     

    Implementing on api portal 3.5 : 

    On the api portal 

    in /etc/httpd/conf 
    httpd.conf 

     

    Start with basic Security Policy : 

    Header set Content-Security-Policy "default-src 'self';" 

     

    Then restart Apache httpd server. 

     

    Then via access api portal using Chrome browser with console open, and it will give an error for each operation or access that does not comply with the security policy.  We then added extra policy for all the ones we found, and restarted the httpd service again and retested until there were no more security exceptions. 

     

    For example: use of api-explorer needed 'unsafe-eval'; and if analytics were enabled access was required to content from www.google-analytics.com.

     

     

    Our final working Content-Security-Policy  for API Portal 3.5  was :

    Header set Content-Security-Policy "default-src 'self' https://fonts.googleapis.com/ https://fonts.gstatic.com/ https://www.google-analytics.com/ 'unsafe-inline' 'unsafe-eval' data: ;"

     

     

    But it would be good if this, or similar policy was set by default in API Portal 3.5 install:

     

    Cheers - Mark