KB Article #193260

How to modify the CSP header for API Manager/Gateway servlet endpoints ?

Problem

How to modify the Content-Security-Policy header for API Manager and Gateway servlet endpoints ?


Resolution

In order to have the same CSP value for servlet endpoints (Manager /api/portal/v1.4 and Gateway- /api) as the one defined for Static content taken within env.SERVICES.CONTENTSECURITYPOLICY (for API Manager) variable, within ../apigateway/groups/group-X/instance-Y/conf/envSettings.props

env.SERVICES.CONTENTSECURITYPOLICY=script-src 'self'; img-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; media-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; manifest-src 'none'; connect-src 'self' https://*:8075 https://*:8065 https://*:443 https://portals-search-api.admin.axway.com; form-action 'self'; prefetch-src 'none'


the following VM argument / property needs to be added inside ../apigateway/groups/group-X/instance-Y/conf/jvm.xml (in a single line), for API Manager


<VMArg name="-Dcom.axway.apigw.secureheaders.csp=value"/>

ex:


<VMArg name="-Dcom.axway.apigw.secureheaders.csp=script-src 'self'; img-src 'self' blob:; style-src 'self' 'unsafe-inline';
font-src 'self' data:; object-src 'self'; media-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; manifest-src 'none'; connect-src 'self' https://*:8075 https://*:8065 https://*:443 https://portals-search-api.admin.axway.com; form-action 'self'; prefetch-src 'none'"/>



For API Gateway ../apigateway/conf/jvm.xml , based on ../apigateway/conf/envSettings.props :


env.MANAGEMENT.CONTENTSECURITYPOLICY=script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; media-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; manifest-src 'none'; connect-src 'self' https://portals-search-api.admin.axway.com; form-action 'self'; prefetch-src 'none'

it should be:


<VMArg name="-Dcom.axway.apigw.secureheaders.csp=script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; media-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; manifest-src 'none'; connect-src 'self' https://portals-search-api.admin.axway.com; form-action 'self'; prefetch-src 'none'"/>


Note: After adjusting this inside the correspondent jvm.xml, a restart of the changed component is needed in order to take into account the modification.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.