Csp configuration

Hi all...I was asked to do App scan on Kibana and on doing the scan,the generated reports listed out below issues.

  1. http://hostname:5601/app/kibana and http://hostname:5601/ui/favicons/manifest.json and

Issue: Insecure web application programming or configuration
FIX: Configure "Content-Security-Policy" header with secure policies
Configure "X-Content-Type-Options" header with "nosniff" value
Config your server to use the "X-XSS-Protection" header with value '1'

I've tried setting csp policy and but it didn't fix the issues.Any suggestions on this??


Hi @ashu1,

You can configure Kibana to send custom response headers by specifying server.customResponseReaders in your kibana.yml (example here: Format of kibana server.customResponseHeaders)

@Larry_Gregory --Thanks,let me configure and run the scan.

@Larry_Gregory -- 2 out of 3 issues are fixed.
When I tried to set "Content-Security-Policy" header kibana fails to load.

Kibana ships with its own set of CSP rules, which it should be sending to the browser on its own already.

The built-in CSP is still pretty unrestrictive, so it is possible that an automated security scanner is still finding issues with the policy that's in place. We are actively working on locking down the policy further, but this takes time, as Kibana uses a lot of libraries that themselves rely on permissive CSP policies.

@Larry_Gregory -- Thanks a lot!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.