Hi,
we are using ELK stack under version.
After a scan of our domain on mozilla observatory, the mozilla tool showed us some Recommendation to make the security of our domain better.
So we set int our front (Apache HTTPD 2.4) the Content Security Policy (CSP) to : script-src 'self'; manifest-src 'self' ; style-src 'self'.
Kibana is running behind Apache. By doing this modification, the Kibana is broken because kibana is executing some inline javascript:
"Something went wrong ....
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
and also for inline CSS
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' . Either the 'unsafe-inline' keyword, a hash ('sha256-9eqTA9rNfDQK1402M6lNw3aW9MsK4p4IfCLxlVEbKkE='), or a nonce ('nonce-...') is required to enable inline execution
My question is, are we forced to be less restrictive on our Apache by permit execution of inline CSS et Javascript to make Kibana work, and does Kibana really need that?
Is there a way to make the whole work by configuring kibana ?
Best regards,