Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
Content Security Policy
The Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as
cross-site scripting (XSS), by providing policy directives to compliant browsers. This feature is enabled by
default. You can recongure the policy directives by adding entries to locked.properties.
Table 7‑2. CSP Properties
Property Value Type Master Default Other Defaults
enableCSP true
false
true n/a
content-security-policy directives-list default-src
'self';script-src
'self' 'unsafe-inline'
'unsafe-eval'
data:;style-src 'self'
'unsafe-inline';font-
src 'self' data:
portal=child-src 'self'
blob:;default-src
'self';connect-src
'self' wss:;font-src
'self' data:;img-src
'self' data:
blob:;media-src 'self'
blob:;object-src 'self'
blob:;script-src 'self'
'unsafe-inline'
'unsafe-eval'
data:;style-src 'self'
'unsafe-inline';frame-
ancestors 'self'
x-frame-options OFF
specification
deny portal=sameorigin
x-content-type-options OFF
specification
nosniff n/a
x-xss-protection OFF
specification
1; mode=block n/a
You can add CSP properties to the locked.properties le. Example CSP properties:
enableCSP = true
content-security-policy = default-src 'self';script-src 'self' data:
content-security-policy-portal = default-src 'self';frame-ancestors 'self'
x-frame-options = deny
x-frame-options-portal = sameorigin
x-xss-protection = 1; mode=block
Other Protection Measures
Besides the Internet Engineering Task Force and W3 standards, Horizon 7 employs other measures to
protect communication that uses the HTTP protocol.
Reducing MIME Type Security Risks
By default, Horizon 7 sends the header x-content-type-options: nosniff in its HTTP responses to help
prevent aacks based on MIME-type confusion.
You can disable this feature by adding the following entry to the le locked.properties:
x-content-type-options=OFF
View Security
38 VMware, Inc.