The Adminapp allows configuring a Content Security Policy (CSP) to protect itself from certain types of attacks. This article describes why this is important, its consequences, and how to configure it.
Why imposing a CSP is important
CSPs are an added layer of security that helps mitigate certain attacks like cross-site scripting (XSS). Basically, a CSP tells the browser how to restrict access to resources such as scripts and images.
The Adminapp exposes certain risks by allowing an administrator to perform privileged tasks such as editing credentials and setting authentication methods. Securing the Adminapp as much as possible is therefore very important.
Even if the Adminapp is only accessible internally, the administrator's browser is exposed to risks resulting from accessing other websites. CSPs lower the risk of being attacked by malicious web applications running in the same browser as the IAM Adminapp.
We strongly recommend enabling the CSP in the Adminapp and keeping it as strict as possible.
Configuration of the Adminapp CSP
The CSP for the Adminapp has been introduced with IAM 8.0 and is enabled by default.
- To alter or disable the Adminapp CSP:
- Go to:
Adminapp >> Content Security Policy (CSP) - To configure a custom CSP, use the plugin Adminapp Content Security Policy.
- To disable the CSP, use the plugin No Adminapp Content Security Policy. This results in the same behavior as in IAM 7.7 and earlier.
Limitations
- The Admin CSP restricts the usage of certain features and does not apply to some parts of the Adminapp:
- There are two types of editors to edit maintenance messages, the HTML Editor and the Plain Text Editor. The HTML Editor cannot be used if the default Adminapp CSP is enabled in the Config Editor.
- The maintenance message editor type is configured under:
- Adminapp >> Maintenance Messages >> Default Editor
- Adminapp >> Maintenance Messages >> Locations >> Editor
- User management extensions may require the Admin CSP to be relaxed. Whether or not and how the CSP must be relaxed depends on what the user management extension does.
- The Adminapp CSP is not applied to the Config Editor.
- The Adminapp CSP is not applied to the Service Container UI.
If the HTML Editor is selected, the Adminapp CSP must be disabled or relaxed. Refer to the Config Editor's documentation of property Default Editor for further information.