AEM as a Cloud Manager: How to add Content-security-policy Header? | Community
Skip to main content
mirkomanga
mirkomanga
Level 3
April 2, 2023
Solved

AEM as a Cloud Manager: How to add Content-security-policy Header?

  • April 2, 2023
  • 2 replies
  • 5558 views

Hi everyone,

does anyone has set some custom value in any part of AEMaaCS dispatcher configuration????
We're dealing with it since many months, but it appears that one can apply own filters, rewrite_rules, caching...but nothing happens with values added to /custom_farm.any & customo.vhost! It's very frystrating!
For example, we just need to add the following header:
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
And from official docs we added in our .vhost file the following value:
...
<IfModule mod_headers.c>
Header add X-Vhost "customTestVHost"
Header add Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
</IfModule>
...

We tried using Header set, Header always append...nothing!
I underline that we changed also a value that usually we can see in every headers (X-Vhost), just to see if our changes were digested...nothing! Network tracking always show default Response Headers! Even the VHost, as you can see,

 


remain the one in default.vhost....but the build logs shows that alway's went well, and same results validating locally the dispatcher! It's really frustrating...What do we're doing wrong? Someone has a suggestion?
Regards

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by AMANATH_ULLAH

    @mirkomanga 

    Use Header always set to add Content-Security-Policy header as below in VHost file

     

    <IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
    </IfModule>

    2 replies

    N
    niraj001
    Level 2
    April 2, 2023

    Can you try following ways.

     

    1. Update the header module with below syntax. 
    <VirtualServer>

~Bits of important stuff here~

    <IfModule headers_module>

    RequestHeader set X-HTTPS 1

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' www.blackhillsinfosec.com fonts.googleapis.com;”

</IfModule>

~more bits of important stuff~

</VirtualServer>

            2. HTML meta tags in page properties.

     

                <meta http-equiv="Content-Security-Policy" content="script-src 'self'">

      AMANATH_ULLAH
      Community Advisor
      AMANATH_ULLAHCommunity AdvisorAccepted solution
      Community Advisor
      April 3, 2023

      @mirkomanga 

      Use Header always set to add Content-Security-Policy header as below in VHost file

       

      <IfModule mod_headers.c>
      Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;"
      </IfModule>

      Amanath Ullah
        mirkomanga
        mirkomangaAuthor
        Level 3
        April 3, 2023

        Hi guys, thanks for both the answers, very precious, we solved the issue
        Regards

          Terms & ConditionsAccessibility statement

          Loading footer...