Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
0
Replies

How to Modify Content-Security-Policy (CSP) for FTD Remote Access VPN

srajiwate
Level 1
Level 1

‎03-10-2025 05:11 AM - edited ‎03-13-2025 12:55 AM

I am working on securing the WebVPN (AnyConnect SSL VPN) portal on a Cisco FTD managed via FMC. The current Content-Security-Policy (CSP) header includes weak directives like 'unsafe-inline' and 'unsafe-eval', which expose the portal to potential XSS attacks.

I attempted to modify the CSP using FlexConfig, but I found that FTD does not support the http-headers CLI command, unlike ASA. Additionally, I explored WebVPN customization settings in FMC, but there is no direct way to modify response headers.

To mitigate exposure, I applied the following FlexConfig command:

webvpn
keepout "503: Service Unavailable"

This resulted in the WebVPN page returning a 503 Service Unavailable response. However, despite this, our cybersecurity team is still flagging the service as vulnerable due to weak CSP headers being present.

Questions:
Is there any supported method in FMC or CLI to modify HTTP response headers (specifically CSP) for FTD WebVPN?
Are there alternative configurations within FMC to restrict inline scripts (unsafe-inline) and eval (unsafe-eval) in WebVPN?
Would using a reverse proxy (e.g., NGINX) in front of FTD be the best approach to enforce a stricter CSP policy?
Since webvpn keepout "503: Service Unavailable" blocks the page entirely, is there a better way to mitigate these findings while keeping the portal functional?

Any insights from the community would be greatly appreciated. Thanks in advance!

 

2 people had this problem
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card