Expand my Community achievements bar.

SOLVED

AEM as a Cloud Manager: How to add Content-security-policy Header?

Avatar

Level 3
Level 3
4/2/23 9:21:24 AM

Hi everyone,

does anyone has set some custom value in any part of AEMaaCS dispatcher configuration????
We're dealing with it since many months, but it appears that one can apply own filters, rewrite_rules, caching...but nothing happens with values added to /custom_farm.any & customo.vhost! It's very frystrating!
For example, we just need to add the following header:
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
And from official docs we added in our .vhost file the following value:
...
<IfModule mod_headers.c>
Header add X-Vhost "customTestVHost"
Header add Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>
...

We tried using Header set, Header always append...nothing!
I underline that we changed also a value that usually we can see in every headers (X-Vhost), just to see if our changes were digested...nothing! Network tracking always show default Response Headers! Even the VHost, as you can see,

mirkomanga_0-1680452340000.png

 


remain the one in default.vhost....but the build logs shows that alway's went well, and same results validating locally the dispatcher! It's really frustrating...What do we're doing wrong? Someone has a suggestion?
Regards

Views

1.4K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
4/2/23 9:34:39 PM

@mirkomanga 

Use Header always set to add Content-Security-Policy header as below in VHost file

 

<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>

View solution in original post

Views

1.4K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Level 2
Level 2
4/2/23 1:51:33 PM

Can you try following ways.

 

  1. Update the header module with below syntax. 
<VirtualServer>

~Bits of important stuff here~

    <IfModule headers_module>

    RequestHeader set X-HTTPS 1

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' www.blackhillsinfosec.com fonts.googleapis.com;”

</IfModule>

~more bits of important stuff~

</VirtualServer>

        2. HTML meta tags in page properties.

 

            <meta http-equiv="Content-Security-Policy" content="script-src 'self'">

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 4
Level 4
4/2/23 9:34:39 PM

@mirkomanga 

Use Header always set to add Content-Security-Policy header as below in VHost file

 

<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>

Views

1.4K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 3
Level 3
4/3/23 1:23:07 AM
In response to AMANATH_ULLAH

Hi guys, thanks for both the answers, very precious, we solved the issue
Regards

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate