Csp configuration

ashu1 · September 18, 2019, 4:07pm

Hi all...I was asked to do App scan on Kibana and on doing the scan,the generated reports listed out below issues.

http://hostname:5601/app/kibana and http://hostname:5601/ui/favicons/manifest.json and
http://hostname:5601/bundles/app/kibana/bootstrap.js

Issue: Insecure web application programming or configuration
FIX: Configure "Content-Security-Policy" header with secure policies
Configure "X-Content-Type-Options" header with "nosniff" value
Config your server to use the "X-XSS-Protection" header with value '1'

I've tried setting csp policy and but it didn't fix the issues.Any suggestions on this??

Thanks

Larry_Gregory · September 18, 2019, 4:11pm

Hi @ashu1,

You can configure Kibana to send custom response headers by specifying server.customResponseReaders in your kibana.yml (example here: Format of kibana server.customResponseHeaders)

ashu1 · September 18, 2019, 4:22pm

@Larry_Gregory --Thanks,let me configure and run the scan.

ashu1 · September 18, 2019, 10:39pm

@Larry_Gregory -- 2 out of 3 issues are fixed.
When I tried to set "Content-Security-Policy" header kibana fails to load.

Larry_Gregory · September 19, 2019, 12:26pm

Kibana ships with its own set of CSP rules, which it should be sending to the browser on its own already.

The built-in CSP is still pretty unrestrictive, so it is possible that an automated security scanner is still finding issues with the policy that's in place. We are actively working on locking down the policy further, but this takes time, as Kibana uses a lot of libraries that themselves rely on permissive CSP policies.

ashu1 · September 20, 2019, 7:14am

@Larry_Gregory -- Thanks a lot!!

system · October 18, 2019, 7:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.