cancel
Showing results for 
Search instead for 
Did you mean: 

Content-Security-Policy directive in Prognosis web.config file and how to config this file to resolve it

David_Sun
Community Manager

Content-Security-Policy directive in Prognosis web.config file and how to config this file to resolve it

For web security purpose, if any web security scanner has scanned Prognosis web application server, and reported following, this is expected result:

 

CSP Scanner: Wildcard Directive:

Positive

The CSP headers are not set for the following: script-src, style-src, img-src, connects-src, frame-src, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src

 

Prognosis does not set these CSP directives. These directives depend on the server name and/or FQDN of the machine and will need to be set after installation, if required. 

 

To set it, make a backup of the web.config file located in <Prognosis>\WebUI\IIS directory, then open it in notepad, and find below Content-Security-Policy line:

<add name="Content-Security-Policy" value="frame-ancestors 'self';" />

 

The directives are set in this line. Replace it with the updated line as below:


<add name="Content-Security-Policy" value="frame-ancestors 'self'; img-src https://FQDN/; script-src 'unsafe-inline' 'unsafe-eval' https://FQDN/; style-src 'unsafe-inline' https://FQDN/; connect-src https://FQDN/; frame-src https://FQDN/; font-src https://FQDN/; media-src https://FQDN/; object-src https://FQDN/; manifest-src https://FQDN/; worker-src https://FQDN/; prefetch-src https://FQDN/" />

 

FQDN is the actual URL of the web server used to connect to Prognosis web interface, eg, hostname.domain.com.

 

If specific IP address is also used to connect to Prognosis web server, it can be added to the line as well. For example:

<add name="Content-Security-Policy" value="frame-ancestors 'self'; img-src https://FQDN/ https://1.2.3.4/; script-src 'unsafe-inline' 'unsafe-eval' https://FQDN/ https://1.2.3.4/; style-src 'unsafe-inline' https://FQDN/ https://1.2.3.4/; connect-src https://FQDN/ https://1.2.3.4/; frame-src https://FQDN/ https://1.2.3.4/; font-src https://FQDN/ https://1.2.3.4/; media-src https://FQDN/ https://1.2.3.4/; object-src https://FQDN/ https://1.2.3.4/; manifest-src https://FQDN/ https://1.2.3.4/; worker-src https://FQDN/ https://1.2.3.4/; prefetch-src https://FQDN/ https://1.2.3.4/" />

 

The FQDN and IP address is seperated by a space.

 

Save the file when finish editing, Prognosis web service will pick it up automatically.

Webinar: Keep the modern workforce connected

Unified Communications has always been an important part of companies' digital transformation efforts due to its ability to enable rich virtual collaboration and communication. But with COVID-19, we've reached a break-through point.

Join Bill Haskins, Sr. Analyst & Partner, Unified Communications at Wainhouse Research, and John Ruthven, CEO at IR discuss UC challenges companies are experiencing due to the COVOID-19 crisis.

Join webinar
Top Liked Members