Menu

Search

GlobalSCAPE Knowledge Base


Specify CSP to Pass Security Web Scans and to use Google reCaptcha for Drop-Off


kmarsh
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.4.11 and later

DISCUSSION

The Content Security Policy (CSP) HTTP response header declares which dynamic resources are allowed to load in the browser. 

By default, EFT will issue the following CSP header:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data:;

These values have the following meanings, as documented here: https://content-security-policy.com/.

default-src 'self' = default policy for loading content

'unsafe-inline' = allow use of inline source elements such as style attribute, onclick, script tag bodies, javascript: URIs

'unsafe-eval'= allows unsafe dynamic code evaluation such as JavaScript eval()

CUSTOM CSP HEADER

You can add additional values, such as “script-src” and “style-src”, by overriding the default CSP header via the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

(If the EFT Server 7.4 key does not exist, create it.)

Key Type: STRING

Key name: CSPHeaderOverride

Values: Provide the new CSP header string. For example: 

default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;

You do not need to restart the EFT server service for the new CSP to take effect.

CSP WHEN reCAPTCHA IS USED FOR DROP-OFF PORTAL

If you enable Google reCAPTCHA for the Drop-off portal, you will need to modify the allowed CSP domains to also include google.com and gstatic.comThis is necessary so that Google’s reCAPTCHA service will work

Change CSPHeaderOverride to:

default-src 'self' www.google.com www.gstatic.com 'unsafe-inline' 'unsafe-eval' data:;

  • If you disable reCAPTCHA, you should consider removing the override so that the default CSP is used. 


Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details
Last Modified: 3 days ago @ 2:50 PM
Last Modified By: kmarsh
Type: HOTFIX
Article not rated yet.
Article has been viewed 998 times.
Options
Find Similar