The vCenter VAMI service must enable Content Security Policy.

An XCCDF Rule

Description

<VulnDiscussion>A Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259160r935384_rule
Severity: Medium
References: CCI-000366
Updated: 8 months ago

Navigate to and open:

/etc/applmgmt/appliance/lighttpd.conf

Locate the "setenv.add-response-header" parameter and add or update the following value:
"Content-Security-Policy"   => "default-src 'self'; img-src 'self' data: https://vcsa.vmware.com; font-src 'self' data:; object-src 'none'; style-src 'self' 'unsafe-inline'",

Note: The last line in the parameter does not need a trailing comma.

Restart the service with the following command:

# vmon-cli --restart applmgmt

The vCenter VAMI service must enable Content Security Policy.

Description

Remediation - Manual Procedure