Enabling the use of Content-Security-Policy response headers in IIS
search cancel

Enabling the use of Content-Security-Policy response headers in IIS

book

Article ID: 219956

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

Per Mozilla:

HTTP Content-Security-Policy (CSP) response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks.

In order to use CSP with Information Centric Analytics (ICA), the procedure provided in the Resolution of this document must first be implemented.

Environment

Release : 6.5.x

Component : IIS

Resolution

The following procedure will enable the use of CSP headers with ICA. We recommend first testing this procedure in a development environment. To implement, follow this procedure:

  1. In SQL Server Management Studio (SSMS), connect to the database engine hosting the ICA RiskFabric database
  2. Navigate to Databases > Risk Fabric
  3. Right-click the RiskFabric database and select New Query
  4. Paste the following query in the new query editor window:
    MERGE dbo.PortalSettings TARGET 
    USING (VALUES 
    ('CorsEnabled', '1', 'bool'),
    ('CorsOrigins', 'http://localhost:80', 'string'),
    ('CorsHeaders', 'Accept, Content-Type, X-Requested-With', 'string'),
    ('CorsMethods', 'GET, POST, OPTIONS', 'string')
    ) AS SOURCE (Name, Value, ValueType) ON (TARGET.Name = SOURCE.Name)
    WHEN NOT MATCHED THEN INSERT (Name, Value, ValueType) VALUES (SOURCE.Name, SOURCE.Value, SOURCE.ValueType)
    WHEN MATCHED THEN UPDATE SET Value = SOURCE.Value;
  5. Execute the query by pressing F5, or selecting Execute from the Query menu
  6. Open the Services application on the ICA web server
  7. Locate the World Wide Web Publishing Service
  8. Right-click the World Wide Web Publishing Service and select Restart
  9. In a browser, refresh/reload the ICA web console to reflect the change