Forum Discussion

JA500001's avatar
Icon for Nimbostratus rankNimbostratus
May 30, 2019

implementing a Content Security Policy without using unsafe inline and unsafe eval


We have a number of web application domain/VIPs presented from our internet facing BIGIP LTM ADCs, running version of TMOS.

In order to guarantee security of our web applications (developers were not always understanding/providing or correctly delivering a suitable set of Content Security Policy behaviours with their applications) we have chosen to implement a CSP on the BIGIP.


We have noticed a number of unsafe-inline and unsafe-eval sections of the web application codebase, inline styles being generated, inline source being generated and the likes.


We currently have whitelisted these via use of unsafe-inline and unsafe-eval directive in a CSP which a BIGIP response headers policy creates and attaches the web application/VIP.


We would like to have the BIGIP dynamically generate a nonce instruction and add that into the CSP header for each response the BIGIP sends back to the client for the associated web application.


Our initial thoughts are that we could do this using a combination of irule and whitelisting a set of allowed files, but would like to understand if there is a best practice to realise this type of requirement, maybe using other mechanisms/capabilities/features such as ASM which we also have protecting these web application domains.


Many thanks in advance for your help/guidance on this!