https://community.cisco.com/t5/network-security/how-to-modify-content-security-policy-csp-for-ftd-remote-access/m-p/5269474#M1119965 <P>I am working on securing the WebVPN (AnyConnect SSL VPN) portal on a Cisco FTD managed via FMC. The current Content-Security-Policy (CSP) header includes weak directives like 'unsafe-inline' and 'unsafe-eval', which expose the portal to potential XSS attacks.</P><P>I attempted to modify the CSP using FlexConfig, but I found that FTD does not support the http-headers CLI command, unlike ASA. Additionally, I explored WebVPN customization settings in FMC, but there is no direct way to modify response headers.</P><P>To mitigate exposure, I applied the following FlexConfig command:</P><P>webvpn<BR />keepout "503: Service Unavailable"</P><P>This resulted in the WebVPN page returning a 503 Service Unavailable response. However, despite this, our cybersecurity team is still flagging the service as vulnerable due to weak CSP headers being present.</P><P>Questions:<BR />Is there any supported method in FMC or CLI to modify HTTP response headers (specifically CSP) for FTD WebVPN?<BR />Are there alternative configurations within FMC to restrict inline scripts (unsafe-inline) and eval (unsafe-eval) in WebVPN?<BR />Would using a reverse proxy (e.g., NGINX) in front of FTD be the best approach to enforce a stricter CSP policy?<BR />Since webvpn keepout "503: Service Unavailable" blocks the page entirely, is there a better way to mitigate these findings while keeping the portal functional?</P><P>Any insights from the community would be greatly appreciated. Thanks in advance!</P><P>&nbsp;</P> Thu, 13 Mar 2025 07:55:57 GMT srajiwate 2025-03-13T07:55:57Z https://community.cisco.com/t5/network-security/how-to-modify-content-security-policy-csp-for-ftd-remote-access/m-p/5269474#M1119965 <P>I am working on securing the WebVPN (AnyConnect SSL VPN) portal on a Cisco FTD managed via FMC. The current Content-Security-Policy (CSP) header includes weak directives like 'unsafe-inline' and 'unsafe-eval', which expose the portal to potential XSS attacks.</P><P>I attempted to modify the CSP using FlexConfig, but I found that FTD does not support the http-headers CLI command, unlike ASA. Additionally, I explored WebVPN customization settings in FMC, but there is no direct way to modify response headers.</P><P>To mitigate exposure, I applied the following FlexConfig command:</P><P>webvpn<BR />keepout "503: Service Unavailable"</P><P>This resulted in the WebVPN page returning a 503 Service Unavailable response. However, despite this, our cybersecurity team is still flagging the service as vulnerable due to weak CSP headers being present.</P><P>Questions:<BR />Is there any supported method in FMC or CLI to modify HTTP response headers (specifically CSP) for FTD WebVPN?<BR />Are there alternative configurations within FMC to restrict inline scripts (unsafe-inline) and eval (unsafe-eval) in WebVPN?<BR />Would using a reverse proxy (e.g., NGINX) in front of FTD be the best approach to enforce a stricter CSP policy?<BR />Since webvpn keepout "503: Service Unavailable" blocks the page entirely, is there a better way to mitigate these findings while keeping the portal functional?</P><P>Any insights from the community would be greatly appreciated. Thanks in advance!</P><P>&nbsp;</P> Thu, 13 Mar 2025 07:55:57 GMT https://community.cisco.com/t5/network-security/how-to-modify-content-security-policy-csp-for-ftd-remote-access/m-p/5269474#M1119965 srajiwate 2025-03-13T07:55:57Z