Missing or insecure "Content-Security-Policy" header

[sureshhcl]

Stratos Version

4.4.0

Frontend Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• npm run start
• Other (please specify below)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• Other (please specify below)

Expected behaviour

AppScan DAST scan should show secure "Content-Security-Policy" header

Actual behaviour

AppScan DAST scan shows Missing or insecure "Content-Security-Policy" header

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io. AppScan detected that the Content-Security-Policy response header is missing or with an insecure policy, which increases exposure to various cross-site injection attacks

Log output covering before error and any error statements

Cookie: console-session=MTYxNTM4NzIzMnxCUXdBQWpFeXztgIxZj4pvgrBZifTEg0HKyav_eL0siIp-DGc0CaLQig==
Connection: keep-alive
Sec-Fetch-Mode: cors
Host: ui.169.53.186.50.nip.io
Accept: application/json, text/plain, */*
Accept-Language: en-US
Sec-Fetch-Dest: empty
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Credentials: true
Pragma: no-cache
Access-Control-Allow-Origin: 
Vary: Origin
X-Frame-Options: SAMEORIGIN
Cache-Control: no-store
Strict-Transport-Security: max-age=15724800; includeSubDomains
Date: Wed, 10 Mar 2021 14:45:51 GMT
Content-Type: application/json; charset=UTF-8
{
 "version": {
 "proxy_version": "4.4.0",
 "database_version": 20200902162200
 },
 "user": {
 "guid": "cf95db97-8e30-41f2-88c2-dd4ace246c94",
 "name": "admin",
 "admin": true,
 "scopes": [

Detailed Description

Enforce the use of HTTPS when sending sensitive information

Context

Possible Implementation

Config your server to use the "Content-Security-Policy" header with secure policies