Secure Content-Security-Policy (CSP) header

The default shipped value of the Content-Security-Policy (CSP) HTTP header has been restricted to limit traffic to only the IIS Web Server (or load balancer) hosting the product. There is one exception, a wildcard (*) in the connect-src policy so that Bravura Security Fabric works upon installation. Bravura Security recommends that the Content-Security-Policy header be further restricted / hardened to replace the wildcard with only valid hostnames for Bravura Security Fabric . Valid hostnames include the individual instance hostnames of each server (ex: https://fabric-server1.company.com and https://fabric-server2.company.com), and the main load balancer hostname (ex: https://fabric.company.com), as well as any special hosts added to the ALLOWED ORIGINS system variable (Manage the system> Maintenance> System variables).

Example

The Content-Security-Policy header has a number of different policies, the one that needs to be further hardened is connect-src, so leave the rest as they are unless you have a reason to change them. Here is an example of the hardened policy with the three URLs from the previous paragraph.

Content-Security-Policy: connect-src 'self' https://fabric-server1.company.com/ https://fabric-server2.company.com/
      https://fabric.company.com/; default-src 'self'; form-action 'self'; frame-ancestors
      'self'; frame-src 'self' https://www.recaptcha.net/; img-src data: 'self'; object-src
      'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.recaptcha.net/
      https://www.gstatic.com/recaptcha/; style-src 'self' 'unsafe-inline'; style-src-elem
      'self' 'unsafe-inline'

The CSP can be set in IIS on each server or may be able to be set globally on the load balancer that rewrites (overwrites) the header. To modify this value in IIS:

Harden form-action

If you are not using SAML, or are not using SAML with a HTTP/HTTPS POST redirect method, the form-action should be secured by removing the wildcard (*):

form-action 'self';

If you are using SAML, the form-action should be hardened to replace the wildcard (*) with the authentication server URL. Replace the wildcard in the CSP with the actual URL.

Shipped CSP snippet:

form-action 'self' *;

Improved security when when using SAML with the HTTP/HTTPS POST redirect method. Note that in our testing, a trailing slash was required on this URL. It can also just be the hostname (pathname not required).

form-action 'self' https://customerid.oktapreview.com/app/instnaceid_xyz_1/

External Images

Occasionally external images are used that will need to be added to the CSP as well. Profile pictures in user profiles and the OrgChart can be uploaded (so they are served by the same server as the product), or can be a link to an external directory of photos. If an external directory is used, the URL must be added to the end of the img-src policy, and would look like this:

img-src data: 'self' http://photos.company.com;

Troubleshooting

Make sure you test the value afterward to ensure Bravura Security Fabric behaves correctly.

You will see the following type of error in the Chrome or Edge console when the CSP has been violated, and that part of the product will not load. Ensure the necessary host names are included.

Refused to connect to 'https://bravuranode2.company.com/bravura/cgi/ajax.exe?guacamoleplay:guacamoleread' because it violates the following Content Security Policy directive: "connect-src 'self' https://fabric-server1.company.com/ https://fabric-server2.company.com/ https://fabric.company.com/".

Upgrading

When upgrading, you will need compare the custom hardened CSP with the new CSP included in the upgrade to make sure all the necessary exceptions are included in the policy. Keep the existing CSP somewhere safe in case the upgrade replaces the CSP.

Read more about the Content-Security-Policy at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP .