Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

implementing a Content Security Policy without using unsafe inline and unsafe eval



We have a number of web application domain/VIPs presented from our internet facing BIGIP LTM ADCs, running version of TMOS.

In order to guarantee security of our web applications (developers were not always understanding/providing or correctly delivering a suitable set of Content Security Policy behaviours with their applications) we have chosen to implement a CSP on the BIGIP.


We have noticed a number of unsafe-inline and unsafe-eval sections of the web application codebase, inline styles being generated, inline source being generated and the likes.


We currently have whitelisted these via use of unsafe-inline and unsafe-eval directive in a CSP which a BIGIP response headers policy creates and attaches the web application/VIP.


We would like to have the BIGIP dynamically generate a nonce instruction and add that into the CSP header for each response the BIGIP sends back to the client for the associated web application.


Our initial thoughts are that we could do this using a combination of irule and whitelisting a set of allowed files, but would like to understand if there is a best practice to realise this type of requirement, maybe using other mechanisms/capabilities/features such as ASM which we also have protecting these web application domains.


Many thanks in advance for your help/guidance on this!



Did you find an answer?