Expand my Community achievements bar.

SOLVED

AEM as a Cloud Manager: How to add Content-security-policy Header?

Avatar

Level 3

Hi everyone,

does anyone has set some custom value in any part of AEMaaCS dispatcher configuration????
We're dealing with it since many months, but it appears that one can apply own filters, rewrite_rules, caching...but nothing happens with values added to /custom_farm.any & customo.vhost! It's very frystrating!
For example, we just need to add the following header:
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
And from official docs we added in our .vhost file the following value:
...
<IfModule mod_headers.c>
Header add X-Vhost "customTestVHost"
Header add Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>
...

We tried using Header set, Header always append...nothing!
I underline that we changed also a value that usually we can see in every headers (X-Vhost), just to see if our changes were digested...nothing! Network tracking always show default Response Headers! Even the VHost, as you can see,

mirkomanga_0-1680452340000.png

 


remain the one in default.vhost....but the build logs shows that alway's went well, and same results validating locally the dispatcher! It's really frustrating...What do we're doing wrong? Someone has a suggestion?
Regards

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@mirkomanga 

Use Header always set to add Content-Security-Policy header as below in VHost file

 

<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>

View solution in original post

3 Replies

Avatar

Level 2

Can you try following ways.

 

  1. Update the header module with below syntax. 
<VirtualServer>

~Bits of important stuff here~

    <IfModule headers_module>

    RequestHeader set X-HTTPS 1

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' www.blackhillsinfosec.com fonts.googleapis.com;”

</IfModule>

~more bits of important stuff~

</VirtualServer>

        2. HTML meta tags in page properties.

 

            <meta http-equiv="Content-Security-Policy" content="script-src 'self'">

Avatar

Correct answer by
Community Advisor

@mirkomanga 

Use Header always set to add Content-Security-Policy header as below in VHost file

 

<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>

Avatar

Level 3

Hi guys, thanks for both the answers, very precious, we solved the issue
Regards