Author: Ranjith R

Co-Author: Soumya R Dash

Why are we doing Content Security Policy (CSP)?

We are implementing Content Security Policy (CSP) in our application to enhance security by controlling which resources the browser is allowed to load and execute. CSP helps prevent attacks such as Cross-Site Scripting (XSS) and data injection by restricting untrusted or malicious content from running. This protects our users' data, improves the overall safety of the application, and helps maintain trust. Additionally, CSP supports compliance with security best practices and regulatory requirements, making our application more secure and reliable.

What is the purpose of implementing Content Security Policy (CSP)?

We implement Content Security Policy (CSP) to protect our customers from a wide range of web-based security threats, particularly those that target the browser environment, such as cross-site scripting (XSS), data theft, and malicious content injection. CSP acts as a powerful browser-based security mechanism that defines which content sources are trusted and allowed to be loaded and executed on our website or application. By enforcing CSP, we ensure that only safe, approved resources such as scripts, styles, images, and iframes can be used, helping us block any unauthorised or malicious code from being injected or executed. This protects our users from potential attacks that could compromise sensitive data such as login credentials, personal information, or financial details.

What is the feature of CSP?

Content Security Policy (CSP) is a powerful web security feature designed to protect users and applications from various client-side attacks, particularly Cross-Site Scripting (XSS) and data injection. It allows developers to specify trusted sources for content such as scripts, styles, images, and fonts through HTTP headers or meta tags, thereby preventing unauthorised or malicious content from loading. CSP blocks inline scripts and dynamic code execution (like eval()), helping to mitigate common attack vectors. It also provides control over content framing, protecting against clickjacking, and restricts form actions to approved URLs to prevent data leakage. Developers can use nonces or content hashes to allow specific inline code safely. CSP supports both enforcement and report-only modes, enabling organisations to test and monitor policies before enforcing them. Additionally, it offers vulnerability reporting, which helps in identifying and fixing security gaps proactively. Overall, CSP enhances the security posture of web applications by enforcing strict content loading rules, protecting user data, and supporting regulatory compliance.

CSP FILTER in ICCSAP

CSP (Content Security Policy) in ICCSAP is a security feature that helps prevent cross-site scripting (XSS) and other code injection attacks by specifying the domains that a browser should recognise as valid sources of executable scripts. In ICCSAP, CSP is utilised to restrict the execution of inline scripts and the loading of external resources, ensuring that only trusted sources are permitted to run code within the application. This enhances the overall security posture of the ICCSAP application.

CSP Design

CSP Implementation

CSP (Content Security Policy) is implemented in ICCSAP to enhance application security by preventing cross-site scripting (XSS) and other code injection attacks. By defining the domains that a browser should recognise as valid sources of executable scripts, CSP limits the execution of inline scripts and the loading of external resources, ensuring that only trusted sources are permitted to run code within the application. This helps protect the application and its users from potential security threats.

Known Issues

When the CSP Filter is enabled and unsafe sources are eliminated, some applications and plug-ins that rely on IBM Content Navigator might break, including your own. Use this setting to debug your code and identify which areas are problematic. Follow the guide to learn about the issues and ways to address them. (https://www.ibm.com/support/pages/node/7030898)

Why does CSP need to be enabled?

CSP enable resolving the following attacks and operations

•           Prevents XSS Attacks:  CSP regulates which scripts can run on a page. It blocks unauthorised or malicious scripts that attempt to steal data or hijack user sessions.
•           Reduces Data Injection Risks:  It helps prevent attackers from injecting malicious content (such as inline JavaScript or unauthorised resources) into web pages.
•           Improves Trust and Compliance:  Security policies like CSP are often part of compliance requirements (e.g., for PCI-DSS, GDPR) and enhance overall user trust.
•           Mitigates Zero-Day Vulnerabilities: Even if vulnerabilities exist on your site, CSP can limit their exploitability by restricting the execution of unexpected content.

•           Prevents Clickjacking (with frame-ancestors):  CSP can be employed to control who can embed your site in a frame, protecting against clickjacking.

What is the usage of CSP in ICCSAP?

​In the context of ICCSAP (IBM Content Collector for SAP Applications), the term Content Security Policy (CSP) refers to a security feature implemented in web applications to prevent various attacks, including Cross-Site Scripting (XSS) and data injection attacks.

Typical Usage of CSP:

•           Restrict Resource Loading: Limit the sources from which scripts, images, and other resources can be loaded, reducing the risk of malicious content injection.
•           Prevent Inline Scripts:  Prohibit the execution of inline scripts, which are frequently exploited in XSS attacks.
•           Control Object Embedding:   Specify allowed sources for plugins and other embedded objects, minimising the attack surface.
•           Enhance Reporting:  Enable the reporting of violations to a specified endpoint, aiding in monitoring and improving security posture.

How does CSP Filter enable?

Content Security Policy (CSP) is an additional layer of security in a browser that helps mitigate attacks like data injection and Cross-Site Scripting (XSS).

To customise the CSP, an administrator needs to configure the web server to modify the CSP HTTP header. However, with the CSP Filter, administrators do not need to manually configure the header. The filter automatically removes the unsafe-inline and unsafe-eval keywords from all HTTP responses.

When keywords like unsafe-inline and unsafe-eval are included, they allow older and potentially unsafe code to execute, creating opportunities for attackers to inject unsafe functions.

Browser security is enhanced when:

•    The keywords unsafe-inline and unsafe-eval are removed.
•    Inline scripts and eval () expressions are eliminated.
•    Nonces are appended to valid scripts.

In IBM Content Navigator, an administrator can eliminate the unsafe keywords by enabling the following JVM options:

- Dcom.ibm.ecm.icn.system.security.csp.removeUnsafeEval=true

- Dcom.ibm.ecm.icn.system.security.csp.removeUnsafeInline=true

Developers must remove instances of inline code and eval () expressions and update the code to ensure the application continues to function. Removing unsafe-eval will prevent any eval () statements from executing at runtime. Any scripts that utilize eval () simply produce an error in the developer console.

When the removeUnsafeInline setting is set to true, Navigator removes the unsafe-inline keyword from the header and automatically appends the nonce.

When unsafe-inline is removed, it prohibits functions like onclick and onblur on elements from executing. All script tags must contain a nonce to allow their code to run.

Otherwise, the browser will block that script tag from executing on the page.

// No longer works

<script>alert(1);</script>

// Will work

<script nonce="123-abc">alert(1);</script>

Where is CSP Filter Implemented in ICCSAP IF19?

ICCSAP CSP implementation was developed with the following features.

·       IBM Content Collector for SAP Applications Administration Feature

•    Archiving Profiles
•    Document-Linking Profiles
•    Index Transfer Profiles

·       IBM Content Collector for SAP Applications Configuration Feature

•    Instance controller

·       IBM Content Collector for SAP Applications Operation Feature

•     Archiving Task
•     Document-Linking Task
•     Index Transfer Task

CSP FILTER UI