Support Article
Leakage internal system name in Content-Security-Policy header
Summary
Responses to requests from the internet include the internal server name in the Content-Security-Policy http header (and its legacy variations, X-Webkit-CSP and X-Content-Security-Policy):X-WebKit-CSP: connect-src *; font-src *; frame-src *; img-src *; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline' 'unsafe-eval'; default-src *; report-uri http://INTERNALSERVERNAME/blablabla
X-Content-Security-Policy: connect-src *; font-src *; frame-src *; img-src *; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline' 'unsafe-eval'; default-src *; report-uri http://INTERNALSERVERNAME/blablabla
Content-Security-Policy: connect-src *; font-src *; frame-src *; img-src *; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline' 'unsafe-eval'; default-src *; report-uri http://INTERNALSERVERNAME/blablabla
On production environment, a cluster has been setup using a DNS and load balancing to hide the internal IP addresses of the nodes used by this cluster.
Now the issue is that when the Pega application is using Content Security Policy then these internal IP addresses become visible in the http headers of the http response.
How can user hide these internal IP addresses in the response http headers?
Error Messages
No error messages; the http response headers shows the internal IP address.
Steps to Reproduce
- Setup a cluster using Internet Application Composer (IAC) to embed a Pega application in the internet website.
- Load and submit a form of the embedded Pega application.
- Check the http response headers; they will show the internal IP addresses.
Root Cause
The load balancer acts as a reverse proxy here but PRPC has not been configured to take into account this reverse proxy.
Resolution
PRPC has to be configure for reverse proxy as per below article:
Once this is done, the URL seen in the HTTP request will be the public URL, not the internal one.
Published May 15, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.