Mark,
Thank you for your prompt reply. Right now my other alternative would be to
modify the nginx entry for Guacamole and add the line below to the config file,
I was consulting the info found on this page:
https://gist.github.com/plentz/6737338
# Content Security Policy (CSP) enabledadd_header Content-Security-Policy
"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src
'self'; style-src 'self'; font-src 'self'; object-src 'none'";
Not sure if that would work, but can you please elaborate on the custom filter?
Do you have any examples for the CSP so I can use for the Guacamole?
Thanks
On Wednesday, September 19, 2018, 9:35:57 AM EDT, Mark Nolan
<[email protected]> wrote:
Difficult to know what your exact requirements are. For samples of CSP
headers, you can look here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
I don't have any specific experience with CSP, but to add custom headers,
you will need to use a filter.
I thought the http header security filter might do it, but it looks like it
doesn't. You should still consider it:
https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html.
Other than that, you will probably need to write a custom filter, which is
what I have always ended up doing for odd header requirements.
Mark
.
On Wed, 19 Sep 2018, 18:12 Tezarin, <[email protected]> wrote:
> Hi,
> I need to implement an Content Security Policy (CSP) for the guacamole web
> application. This is done via http headers added to the response from the
> tomcat server running guacamole. So here are the questions I would ask
> myself:
> 1. How do I add HTTP headers to a tomcat server or guacamole
> configuration? If I cannot do it easily, how do I add them to an nginx
> config for a proxied application?2. What is the format of the CSP header?3.
> What is a good CSP policy to implement to cover what we need?
> I was just wondering how if anyone has done this before. Any help would be
> much appreciated. I am using Guacamole inside docker containers.
> Thanks
>
