CSP Header Implementation – VAPT Compliance
1. Current Implementation
The application currently includes the following directive in the Content-Security-Policy (CSP) header:
Content-Security-Policy: default-src 'self'; frame-ancestors 'none';
2. Can Be Added
The following directives can be added to enhance security:
form-action 'self';
upgrade-insecure-requests;
Updated Header:
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests;
3. Needs Evaluation
object-src 'none';
- Can be added for on-prem installations
- May affect external links in custom reports
- Recommended to test before implementation
4. Not Required
block-all-mixed-content
- Deprecated directive
- Modern browsers handle mixed content automatically
5. Where to Add
File Location:
<AE_Application>/Tools/apache-tomcat-11.0.2/conf/web.xml
Configuration:
<filter>
<filter-name>CSPFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>contentSecurityPolicy</param-name>
<param-value>
default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests;
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
6. Validation
- Open browser → Developer Tools (F12)
- Go to Network tab → Check Response Headers
-
Verify
Content-Security-Policyis present
7. Note
- Restart the application after changes
-
Validate application functionality post implementation
Note: This header is already fixed in version 8.4.0. This document is applicable only for versions prior to 8.4.0.