Content Security Policy response header support for Citrix Gateway and authentication virtual server-generated responses
Starting from Citrix ADC release build 13.0–76.29, the Content-Security-Policy (CSP) response header is supported for Citrix Gateway and authentication virtual server-generated responses.
The following are the advantages of the CSP response header.
- The primary function of a CSP response header is to prevent CSS attacks.
- In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used; for example (and ideally, from a security standpoint), a server can specify that all contents must be loaded using HTTPS.
- CSP helps in securing Citrix ADC from cross-site scripting attacks by securing files like “tmindex.html” and “homepage.html. The file “tmindex.html” is related to authentication and the file “homepage.html” is related to the published apps/links.
Configuring Content-Security-Policy header for Citrix Gateway and authentication virtual server-generated responses
To enable the CSP header, you need to configure your web server to return the CSP HTTP header.
Points to note
- By default, the CSP header is disabled.
- While enabling or disabling the default CSP policy, you are recommended to run the following command.
Flush cache contentgroup loginstaticobjects
- For modifying the CSP for /logon/LogonPoint/index.html, modify the “Header set Content-Security-Policy”. value as required under the section corresponding to the logon directory which can be found under the directory
To configure CSP for authentication virtual server and Citrix Gateway generated responses using CLI, type the following command at the command prompt:
set aaa parameter -defaultCSPHeader <ENABLE/DISABLE>
To configure CSP for Citrix Gateway and authentication virtual server-generated responses using GUI.
Navigate to Citrix Gateway > Global Settings, click Change authentication AAA settings under Authentication Settings.
On the Configure AAA Parameters page, select the Enabled in Default CSP Header field.
An example for Content-Security-Policy header customization
The following is an example for CSP header customization to include images and scripts only from the following two specified sources respectively,
add rewrite action modify_csp insert_http_header Content-Security-Policy "\"default-src 'self'; script-src 'self' https://company.fqdn.com 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src http://localhost:* https://example.com 'self' data: http: https:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; child-src 'self' com.citrix.agmacepa://* citrixng://* com.citrix.nsgclient://*; form-action 'self'; object-src 'self'; report-uri /nscsp_violation/report_uri\"" add rewrite policy add_csp true modify_csp bind authentication vserver auth1 -policy add_csp -priority 1 -gotoPriorityExpression NEXT -type AAA_RESPONSE