A security requirement came up in one clients setup. The penetration test required API Portal server to return a "Content-Security-Policy" header. The default API Portal install does not have one.
Some references :
Implementing on api portal 3.5 :
On the api portal
Start with basic Security Policy :
Header set Content-Security-Policy "default-src 'self';"
Then restart Apache httpd server.
Then via access api portal using Chrome browser with console open, and it will give an error for each operation or access that does not comply with the security policy. We then added extra policy for all the ones we found, and restarted the httpd service again and retested until there were no more security exceptions.
For example: use of api-explorer needed 'unsafe-eval'; and if analytics were enabled access was required to content from www.google-analytics.com.
Our final working Content-Security-Policy for API Portal 3.5 was :
But it would be good if this, or similar policy was set by default in API Portal 3.5 install:
Cheers - Mark