Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header

Question

I have a couple of web instances under a ALB, did a penetration test recently. One of the vulnerabilities was "Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header".

Remediation suggested:

I recommend setting a non-permissive Content-Security-Policy frame-ancestors header for all requested resources.

Does this mean I've to switch my content security policy on the ALB side?

Current one I'm using is ELBSecurity-Policy-TLS-1-2-2017-01.

I don't think its ALB level setting. I think you should look at your web sever. — Marcin, Feb 20 '21 at 11:48

score 1 · Answer 1 · answered Feb 21 '21 at 08:21

1

One of the vulnerabilities was "Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header".

This just means your web instances could be embedded into third-party iframes. Only you can decide is it vulnerability or not. Maybe you web instances provide some widgets to be iframed in other sites.

If you wish just prevent web site to be embedded into iframe, Content-Security-Policy is not mandatory. You can use X-Frame-Options: sameorigin HTTP header with the same functionality.

answered Feb 21 '21 at 08:21

granty

7,234
1
14
21

can sameorigin be set on an AWS ALB in its rules? Or should it be set in the web server? – user12345 Apr 26 '21 at 16:10
Publish the HTTP header where it is more convenient for you, the main thing is that the browser receives it. – granty Apr 26 '21 at 20:58

Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header

1 Answers1