03-15-2024 10:57 AM
Hi All-
We have LSVPN configured and working.
However, a recent security scan shows that Content Security Policy (CSP ) issue with the gateway default login script in PA.
It complains about:
script-src: self
style-src: self
Is there any suggestion on how this can be fixed?
Thank you!
03-20-2024 07:20 AM
Hi @MingIkehara ,
As far as I know this is a false positive alert.
How to check the presence of Response Security Headers in PAN-OS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HC9uCAG&lang=en_US%E2%80%A...
Connection: keep-alive
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
Please NOTE, because we use inline scripts for multiple purpose/locations, there is no easy way to remove the unsafe-inline tag from the CSP header.
There is a feature request planned for PAN-OS which has no ETA as of yet as it requires Source code change.
This vulnerability is not considered as a threat, and we have Feature Request ID: 19173.
By providing this Feature ID you can add your vote to it and check with your Account team when it is implemented.
Kind regards,
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
