How to modify HTTP Header on GSAD Web Interface

How To
1

Hi Everyone,

I’m trying to modify the following HTTP header on my instance of Greenbone Security Assistant Daemon.

  • Remove script-src unsafe-inline CSP Header
  • Remove style-src unsafe-inline CSP Header
  • Set Cross-Origin-Embedder-Policy Header
  • Set Cross-Origin-Opener-Policy Header

What i’ve tried:

To remove the unsafe-inline CSP Header, I’ve tried adding “–http-csp=“default-src ‘self’ ‘unsafe-inline’; img-src ‘self’ blob:; frame-ancestors ‘self’”", however it result in the GSAD Web interface being unable to be load (it only shows a blank screen”
Questions:

  1. Is it feasible to set those modification in GSAD (i’m doing it to resolve some findings from Security Scanner) ?

  2. What’s the recommended way to implement the modification?

  3. Are there any existing implementations or examples that I can refer to?

Any suggestions or guidance would be greatly appreciated!

2

An nginx reverse proxy is the most straightforward solution

Eero

3

@abiyyufahmi or nginx proxy with mutual tls :slight_smile:

Eero

4

hmm that might work, i’ll look into it.

Thanks :slight_smile:

5

@abiyyufahmi The web interface can also be bound to localhost and accessed via an SSH tunnel.

Eero

6

Yes, that looks way more easier to implement.

Thanks a lot