api-management-developer-portal icon indicating copy to clipboard operation
api-management-developer-portal copied to clipboard

Published 20 hours ago verified publisher icon Azure

Missing HTTP Header - Content-Security-Policy

Open AlexTukalskiy-CRL opened this issue 2 years ago • 3 comments

Bug description

The application does not explicitly set the Content-Security-Policy HTTP header. This header helps to prevent unwanted content from being injected into the application, aiding in the mitigation and prevention of XSS vulnerabilities, unintended tracking, unacceptable frames, and other potentially malicious content.

Content-Security-Policy header provides an additional layer of security for the site from client-side attacks such as cross-site scripting. In the absence of this header, an attacker can exploit client-side vulnerabilities such as cross-site scripting, clickjacking, and packet sniffing attacks.

Expected behavior

It is a best practice to implement the Content-Security-Policy header throughout the application. The specific implementation of the CSP header depends on the application configuration but general instructions for CSP headers can be found at: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html.

At a minimum, Content-Security-Policy should be used to restrict script execution with the script-src directive and prevent framing attacks with the frame-ancestors directive.

Is your portal managed or self-hosted?

Managed

AlexTukalskiy-CRL avatar Jul 17 '23 11:07 AlexTukalskiy-CRL

@AlexTukalskiy-CRL, thank you for opening this issue. We will triage it within the next few business days.

ghost avatar Jul 17 '23 11:07 ghost

Any update on this issue? If resolved kindly provide solution.

Suresh-SShanmugam avatar Aug 07 '23 12:08 Suresh-SShanmugam

https://github.com/Azure/api-management-developer-portal/issues/798 assumes it's implemented, but even if you configure the settings in the azure portal, it doesn't get added to the portal (im using self-hosted and republished with the latest codebase)

erwinkramer avatar Aug 22 '23 11:08 erwinkramer

This issue is related to managed developer portal. We advise you to create a Azure support request to get assistance on this issue. Please refer to the below link to create a new Azure support request, Please select Problem Type = "Developer Portal" in the request to route it appropriately.

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request

mrcarlosdev avatar Mar 29 '24 17:03 mrcarlosdev

@mrcarlosdev please see my comment, it's still not fixed for the self-hosted version.

erwinkramer avatar Mar 29 '24 17:03 erwinkramer