I have an Alfresco 5.2 Community edition and I'm testing it's security using the OWASP ZAP tool (version 2.11.1). Alfresco runs behind a nginx reverse proxy which applies the HTTPS certificate.
Scanning my Alfresco I receive some warnings about "Content Security Policy (CSP) Header Not Set", and, as expected, the Content-Security-Policy is not present on the http header. The warnings are found in the following URLs:
- https://myAlfresco.it/share
- https://myAlfresco.it/share/page
- https://myAlfresco.it/share/page?error=true
Why Alfresco does not set this header by default? Do have I to configure something on the application?
Checking online they suggest me to modify my nginx config files and add that header. I've tried some options:
If I use add_header Content-Security-Policy "default-src 'self' https://myAlfresco.it;" always; the share page will stop loading correctly.
If I use the most permissive one, the Alfresco works but ZAP tells me the vulnerability is still present.
add_header Content-Security-Policy "default-src self https://myAlfresco.it 'unsafe-eval' 'unsafe-inline';" always;
I've tried several mixed configs, but either the platform stops working or the vulnerability is still present. Do you have any suggestion, do I miss something?
Thanks
