Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
If clients need to connect through a Unified Access Gateway or another gateway, you must specify all of
the gateway addresses by adding portalHost entries to locked.properties. Port 443 is assumed for
these addresses too. Do the same if you want to provide access to a Connection Server or security
server by a name that is different from the one that is specified in the External URL.
Chrome Extension clients set their initial Origin to their own identity. To allow connections to succeed,
register the extension by adding a chromeExtension entry to locked.properties.
Content Security Policy
The Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities,
such as cross-site scripting (XSS), by providing policy directives to compliant browsers. This feature is
enabled by default. You can reconfigure the policy directives by adding entries to locked.properties.
Table 7‑2. CSP Properties
Property Value Type Master Default Other Defaults
enableCSP true
false
true n/a
content-security-policy directives-list default-src
'self';script-src 'self'
'unsafe-inline' 'unsafe-
eval' data:;style-src
'self' 'unsafe-
inline';font-src 'self'
data:
portal=child-src 'self'
blob:;default-src
'self';connect-src 'self'
wss:;font-src 'self'
data:;img-src 'self'
data: blob:;media-src
'self' blob:;object-src
'self' blob:;script-src
'self' 'unsafe-inline'
'unsafe-eval'
data:;style-src 'self'
'unsafe-inline';frame-
ancestors 'self'
x-frame-options OFF
specification
deny portal=sameorigin
x-content-type-options OFF
specification
nosniff n/a
x-xss-protection OFF
specification
1; mode=block n/a
You can add CSP properties to the locked.properties file. Example CSP properties:
enableCSP = true
content-security-policy = default-src 'self';script-src 'self' data:
content-security-policy-portal = default-src 'self';frame-ancestors 'self'
x-frame-options = deny
x-frame-options-portal = sameorigin
x-xss-protection = 1; mode=block
View Security
VMware, Inc. 36