Citrix ADC

Content Security Policy response header support for Citrix Gateway and authentication virtual server generated responses

Starting from Citrix ADC release build 13.0-76.29, the Content-Security-Policy (CSP) response header is supported for Citrix Gateway and authentication virtual server generated responses.

The Content-Security-Policy (CSP) response header is a combination of policies which browser uses to avoid Cross Site Scripting (CSS) attacks. The HTTP CSP response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks. The CSP header is designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including CSS. It is important to set the header value correctly, in a way that does not prevent proper operation of the website. For example, if the header is set to prevent execution of inline JavaScript, the website must not use inline JavaScript in its pages.

The following are the advantages of CSP response header.

  • The primary function of a CSP response header is to prevent CSS attacks.
  • In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used; for example (and ideally, from a security standpoint), a server can specify that all contents must be loaded using HTTPS.
  • CSP helps in securing Citrix ADC from cross-site scripting attacks by securing files like “tmindex.html” and “homepage.html. The file “tmindex.html” is related to authentication and file “homepage.html” is related to the published apps/links.

Configuring Content-Security-Policy header for Citrix Gateway and authentication virtual server generated responses

To enable CSP header, you need to configure your web server to return the CSP HTTP header.

Points to note

  1. By default, the CSP header is disabled.
  2. While enabling/disabling default CSP policy, you are recommended to run the following command. Flush cache contentgroup loginstaticobjects
  3. For modifying the CSP policy for tmindex.html, homepage.html and so on, you are recommended to modify httpd.conf. To modify httpd.conf, open httpd.conf in any xml editor, scroll down to the tag DirectoryMatch and locate the following directories, “/netscaler/ns_gui/vpns”, “/netscaler/ns_gui/epa”, and modify “Header set Content-Security-Policy”.

To configure CSP for authentication virtual server and Citrix Gateway generated responses using CLI, type the following command at the command prompt:

set aaa parameter -defaultCSPHeader <ENABLE/DISABLE>

To configure CSP for Citrix Gateway and authentication virtual server generated responses using GUI.

  1. Navigate to Citrix Gateway > Global Settings, click Change authentication AAA settings under Authentication Settings.

    CSP global-1

  2. On the Configure AAA Parameters page, select the Enabled in Default CSP Header field.

    CSP global-2

An example for Content-Security-Policy header customization

The following is an example for CSP header customization to include images and scripts only from the following two specified sources respectively, https://company.fqdn.com, https://example.com.

Sample configuration

add rewrite action modify_csp insert_http_header Content-Security-Policy "\\"default-src \'self\'; script-src \'self\' https://company.fqdn.com \'unsafe-inline\' \'unsafe-eval\'; connect-src \'self\'; img-src http://localhost:* https://example.com \'self\' data: http: https:; style-src \'self\' \'unsafe-inline\'; font-src \'self\'; frame-src \'self\'; child-src \'self\' com.citrix.agmacepa://* citrixng://* com.citrix.nsgclient://*; form-action \'self\'; object-src \'self\'; report-uri /nscsp_violation/report_uri\\""'

add rewrite policy add_csp true modify_csp

bind authentication vserver auth1 -policy add_csp -priority 1 -gotoPriorityExpression NEXT -type AAA_RESPONSE
Content Security Policy response header support for Citrix Gateway and authentication virtual server generated responses