The vCenter VAMI service must enable Content Security Policy.
An XCCDF Rule
Description
<VulnDiscussion>A Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259160r1003739_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Navigate to and open:
/opt/vmware/etc/lighttpd/applmgmt-lighttpd.conf
If header "Content-Security-Policy" is not present, add the following line to the end of the file: