Is Content Security Policy (CSP) available for AWS ALB or WAF?

Question

I have done a security vulnerability scan against my hosted site behind ALB with WAF integration. The scan reported the following:

Content Security Policy (CSP) Missing
csp_no_policy_v2

Recommendation:
- Implement a Content Security Policy (CSP) by configuring HTTP headers on your web server.

I have been poking around the ALB Attribute settings and WAF rules but can't seem to find where I can add the CSP HTTP header configuration. Any help is greatly appreciated.

Thank You

Accepted Answer

Both ALB and WAF are unable to add CSP HTTP header.
You can configure your host web server to include the necessary CSP header.

Alternatively, you can put [Amazon CloudFront](https://aws.amazon.com/cloudfront/) in front of your ALB, and use either a managed or custom [Response Headers Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html) (screen shot below)

![Enter image description here](/media/postImages/original/IM6S2kdaK-T12XRLIn-Pqs-Q)

Is Content Security Policy (CSP) available for AWS ALB or WAF?

관련 콘텐츠