Content Security Policy response header support for Citrix Gateway and authentication virtual server-generated responses

Starting from Citrix ADC release build 13.0–76.29, the Content-Security-Policy (CSP) response header is supported for Citrix Gateway and authentication virtual server-generated responses.

The Content-Security-Policy (CSP) response header is a combination of policies which the browser uses to avoid Cross Site Scripting (CSS) attacks. The HTTP CSP response header allows website administrators to control the resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks. The CSP header is designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including CSS. It is important to set the header value correctly, in a way that does not prevent proper operation of the website. For example, if the header is set to prevent execution of inline JavaScript, the website must not use inline JavaScript in its pages.

The following are the advantages of the CSP response header.

  • The primary function of a CSP response header is to prevent CSS attacks.
  • In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used; for example (and ideally, from a security standpoint), a server can specify that all contents must be loaded using HTTPS.
  • CSP helps in securing Citrix ADC from cross-site scripting attacks by securing files like “tmindex.html” and “homepage.html. The file “tmindex.html” is related to authentication and the file “homepage.html” is related to the published apps/links.

Configuring Content-Security-Policy header for Citrix Gateway and authentication virtual server-generated responses

To enable the CSP header, you need to configure your web server to return the CSP HTTP header.

Points to note

  • By default, the CSP header is disabled.
  • While enabling or disabling the default CSP policy, you are recommended to run the following command. Flush cache contentgroup loginstaticobjects
  • For modifying the CSP for /logon/LogonPoint/index.html, modify the “Header set Content-Security-Policy” value as required under the section corresponding to the logon directory which can be found under the directory /var/netscaler/logon.
  • For instructions on how to configure a rewrite action and policy using the GUI, see Rewrite.

To configure CSP for authentication virtual server and Citrix Gateway generated responses using CLI, type the following command at the command prompt:

set aaa parameter -defaultCSPHeader <ENABLE/DISABLE>

To configure CSP for Citrix Gateway and authentication virtual server-generated responses using GUI.

  1. Navigate to Citrix Gateway > Global Settings, click Change authentication AAA settings under Authentication Settings.

    CSP global-1

  2. On the Configure AAA Parameters page, select the Enabled in Default CSP Header field.

    CSP global-2

An example for Content-Security-Policy header customization

The following is an example for CSP header customization to include images and scripts only from the following two specified sources respectively,,

Sample configuration

add rewrite action modify_csp insert_http_header Content-Security-Policy "\"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src http://localhost:* 'self' data: http: https:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; child-src 'self' com.citrix.agmacepa://* citrixng://* com.citrix.nsgclient://*; form-action 'self'; object-src 'self'; report-uri /nscsp_violation/report_uri\""

add rewrite policy add_csp true modify_csp

bind authentication vserver auth1 -policy add_csp -priority 1 -gotoPriorityExpression NEXT -type AAA_RESPONSE
Content Security Policy response header support for Citrix Gateway and authentication virtual server-generated responses