Adobe Experience Manager Sites & More

mirkomanga · 4/2/23

Hi everyone,

does anyone has set some custom value in any part of AEMaaCS dispatcher configuration????
We're dealing with it since many months, but it appears that one can apply own filters, rewrite_rules, caching...but nothing happens with values added to /custom_farm.any & customo.vhost! It's very frystrating!
For example, we just need to add the following header:
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
And from official docs we added in our .vhost file the following value:
...
<IfModule mod_headers.c>
Header add X-Vhost "customTestVHost"
Header add Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>
...

We tried using Header set, Header always append...nothing!
I underline that we changed also a value that usually we can see in every headers (X-Vhost), just to see if our changes were digested...nothing! Network tracking always show default Response Headers! Even the VHost, as you can see,

remain the one in default.vhost....but the build logs shows that alway's went well, and same results validating locally the dispatcher! It's really frustrating...What do we're doing wrong? Someone has a suggestion?
Regards

AMANATH_ULLAH · 4/2/23

@mirkomanga

Use Header always set to add Content-Security-Policy header as below in VHost file

<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>

View solution in original post

niraj001 · 4/2/23

Can you try following ways.

Update the header module with below syntax.

<VirtualServer>

~Bits of important stuff here~

    <IfModule headers_module>

    RequestHeader set X-HTTPS 1

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' www.blackhillsinfosec.com fonts.googleapis.com;”

</IfModule>

~more bits of important stuff~

</VirtualServer>

2. HTML meta tags in page properties.

AMANATH_ULLAH · 4/2/23

@mirkomanga

Use Header always set to add Content-Security-Policy header as below in VHost file

<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>