Search

GlobalSCAPE Knowledge Base

Specify CSP to Pass Security Web Scans and to use Google reCaptcha for Drop-Off

Karla Marsh
EFT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

DISCUSSION

The Content Security Policy (CSP) HTTP response header declares which dynamic resources are allowed to load in the browser.

By default, EFT will issue the following CSP header:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data:;

These values have the following meanings, as documented here: https://content-security-policy.com/.

default-src 'self' = default policy for loading content

'unsafe-inline' = allow use of inline source elements such as style attribute, onclick, script tag bodies, javascript: URIs

'unsafe-eval'= allows unsafe dynamic code evaluation such as JavaScript eval()

CUSTOM CSP HEADER

You can add additional values, such as “script-src” and “style-src”, by overriding the default CSP header via the registry or as an Advanced Property:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

 Key Type: STRING

Key name: CSPHeaderOverride

Values: Provide the new CSP header string. For example: 

default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;

You do not need to restart the EFT server service for the new CSP to take effect.

CSP WHEN reCAPTCHA IS USED FOR DROP-OFF PORTAL

If you enable Google reCAPTCHA for the Drop-off portal, you will need to modify the allowed CSP domains to also include google.com and gstatic.com. This is necessary so that Google’s reCAPTCHA service will work.

Change CSPHeaderOverride to:

default-src 'self' www.google.com www.gstatic.com 'unsafe-inline' 'unsafe-eval' data:;

  • If you disable reCAPTCHA, you should consider removing the override so that the default CSP is used.  (This setting has no effect in Internet Explorer.)

Details
Last Modified: Last Year
Last Modified By: kmarsh
Type: HOTFIX
Rated 2 stars based on 16 votes.
Article has been viewed 39K times.
Options
Also In This Category
Tags