Title of Vulnerability: Content Security Policy (CSP) Not Implemented - Risk Level: Moderate (CVSS=5.0) ONTAP 9.3P6
Rationale/Finding Description: The NetApp devices web interface failed to implement the CSP protection. CSP, if implemented prevents cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
An attack requires publicly available tools, considerable amount of time and knowledge of the existing code injection weaknesses in the web interface.
A successful attack could allow an attacker to successfully exploit the web interface in the event of code injection attacks like XSS attacks.
Recommendation for Mitigation: Enable CSP on the web interface by sending the Content-Security-Policy in HTTP response headers. For example: Content-Security-Policy: default-src 'self'; script-src 'self'
For implementing CSP the header needs to be modified, has anyone done this? Would like to know how to do it.
Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header
The remote web server in some responses sets a permissive Content-Security-Policy (CSP) frame-ancestors response header or does not set one at all. The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and clickjacking attacks.
Set a non-permissive Content-Security-Policy frame-ancestors header for all requested resources.