Adding HTTP Content-Security-Policy headers for Agile Service Manager web pages (on-prem)

To make your deployment more secure and to restrict the dynamic content that can be loaded into each web page, you may wish to enable HTTP Content-Security-Policy (CSP) headers for Agile Service Manager web pages.

About this task

If you run dynamic web application security scans against your environment, they may recommend that CSP headers be used for additional security.

The following variables in the nasm-ui.yml file are used to enable this functionality:
SECURITY__USE_CSP: ${UI_USE_CSP:-false}
SECURITY__FRAMEANCESTORS: ${CI_DASH_ENDPOINT:-https://localhost:16311}
SECURITY__ALLOW_SCRIPT_EVAL: ${UI_ALLOW_SCRIPT_EVAL:-true}

Procedure

  1. To enable this feature, use an appropriate editor and modify the .env file in the root ASM directory by adding the following example variables: 
    UI_USE_CSP=true
CI_DASH_ENDPOINT=https://<dash-host>:16311
UI_ALLOW_SCRIPT_EVAL=true
    where <dash-host> is the hostname of your NOI DASH server.
  2. Restart Agile Service Manager using the $ASM_HOME/bin/asm_start.sh script.

What to do next

Important: If you want to enable CSP headers and also want websites other than your primary DASH UI host to be able to include Agile Service Manager pages in iframes, you must modify the SECURITY__FRAMEANCESTORS setting in the nasm-ui.yml file.
Why?
The CI_DASH_ENDPOINT in the .env file has other purposes in Agile Service Manager, and it must always point to your primary DASH host, or your federation between Agile Service Manager and DASH may break.