Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Leakage internal system name in Content-Security-Policy header

SA-37344

Summary

Responses to requests from the internet include the internal server name in the Content-Security-Policy http header (and its legacy variations, X-Webkit-CSP and X-Content-Security-Policy):

X-WebKit-CSP: connect-src *; font-src *; frame-src *; img-src *; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline' 'unsafe-eval'; default-src *; report-uri http://INTERNALSERVERNAME/blablabla
X-Content-Security-Policy: connect-src *; font-src *; frame-src *; img-src *; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline' 'unsafe-eval'; default-src *; report-uri http://INTERNALSERVERNAME/blablabla
Content-Security-Policy: connect-src *; font-src *; frame-src *; img-src *; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline' 'unsafe-eval'; default-src *; report-uri http://INTERNALSERVERNAME/blablabla


On production environment, a cluster has been setup using a DNS and load balancing to hide the internal IP addresses of the nodes used by this cluster.

Now the issue is that when the Pega application is using Content Security Policy then these internal IP addresses become visible in the http headers of the http response.

How can user hide these internal IP addresses in the response http headers?

Error Messages

No error messages; the http response headers shows the internal IP address.

Steps to Reproduce

  1. Setup a cluster using Internet Application Composer (IAC) to embed a Pega application in the internet website.
  2. Load and submit a form of the embedded Pega application.
  3. Check the http response headers; they will show the internal IP addresses.

Root Cause


The load balancer acts as a reverse proxy here but PRPC has not been configured to take into account this reverse proxy.

Resolution


​PRPC has to be configure for reverse proxy as per below article:

https://community.pega.com/knowledgebase/articles/system-administration/deployment-behind-reverse-proxy

Once this is done, the URL seen in the HTTP request will be the public URL, not the internal one.

 

Published May 15, 2017 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us