During the PEN testing, it was observed that the Identity Suite application was using the incomplete "Content Security Policy" header.

Without a properly configured CSP header, the application remains susceptible to XSS attacks.

We received the below recommendation, but when we do this it breaks access to the application.

It is recommended to implement a properly configured CSP header.

Example: : default-src ‘self’; script-src ‘self’; style-src ‘self’. 

All IGA Suite components 14.4.x, 14.5.x.

Current IGA Suite UI technology depends on certain 3rd party libraries (i.e. AngularJS), and their core implementation doesn't support configuring CSP headers.  We are planning to migrate the AngularJS to Angular in the future. 

But we already have the following alternatives for this in the product:

X-framework-options: SAMEORIGIN.  Prevents clickjacking by disallowing iframe embedding from other sources.  This is equivalent to frameancestors 'self' or none in CSP.

X-XSS-Protection: 1; mode=BLOCK.  Internal framework filter that strongly defends against XSS or Clickjacking attacks.

As no further remediation is available in the current product version, please advise your security testing team accordingly and request a waiver if necessary.