When loading the Kibana dashboard home page, unsafe-eval shows up for script-src:
content-security-policy: script-src 'unsafe-eval' 'self'
Is unsafe-eval required for Kibana dashboard to work? Or only needed for certain functions in the Kibana dashboard?
We have the following menus/functions on the left hand side:
- Dev Tools
Usually, for 'default-src', 'script-src' and 'object-src', unsafe-eval is considered insecure and should be avoided... As banning the ability to execute strings makes it much more difficult for an attacker to execute unauthorized code on the site...