By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is Content Security Policy (CSP) available for AWS ALB or WAF?

0

I have done a security vulnerability scan against my hosted site behind ALB with WAF integration. The scan reported the following:

Content Security Policy (CSP) Missing csp_no_policy_v2

Recommendation:

  • Implement a Content Security Policy (CSP) by configuring HTTP headers on your web server.

I have been poking around the ALB Attribute settings and WAF rules but can't seem to find where I can add the CSP HTTP header configuration. Any help is greatly appreciated.

Thank You

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Well-Architected Framework
Tags
AWS WAFElastic Load BalancingSecurity
Language
English
paulbe
asked a month ago510 views
1 Answer
1
Accepted Answer

Both ALB and WAF are unable to add CSP HTTP header. You can configure your host web server to include the necessary CSP header.

Alternatively, you can put Amazon CloudFront in front of your ALB, and use either a managed or custom Response Headers Policy (screen shot below)

Enter image description here

AWS
EXPERT
Mike_L
answered a month ago
profile picture
EXPERT
Osvaldo Marte
reviewed a month ago
profile picture
EXPERT
Mikel Del Tio
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content