Closed djgrijalva closed 1 week ago
The Content-Security-Policy header can be configured via settings.ps1. Set-PSUSetting has a paramete r called -ContentSecurityPolicy to adjust this value.
We've also added Kestrel \ Headers to appsettings.json to add arbitrary headers (like X-Content-Type-Options) to the web server.
Version
4.2.21
Severity
Low
Environment
msi
Steps to Reproduce
Proper implementation of HTTP security headers is a fundamental part of website security/hardening. The security headers add an extra layer of protection on modern browsers. Properly implemented, security headers offer protection against common attacks, including XSS, redirection, and many others. The PSU application did not have any of the browser security headers implemented. Content Security policy (CSP) and X-Content type options missing in the HTTP response headers.
Expected behavior
Actual behavior
Additional Environment data
No response
Screenshots/Animations
No response