問題を報告するこのページは、まだ日本語ではご利用いただけません。翻訳中です。
Strengthen Security in Kong Manager
Content Security Policy
A Content Security Policy (CSP) helps prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do.
Kong Manager provides the optional configuration parameter admin_gui_csp_header that allows you to enable the Content Security Policy header. The Content Security Policy header is turned off by default.
When admin_gui_csp_header is enabled, Kong Manager will enforce a default Content Security Policy composed of the following directives:
default-src 'self';
connect-src <...see below...>;
img-src 'self' data:;
script-src 'self' 'wasm-unsafe-eval';
script-src-elem 'self';
style-src 'self' 'unsafe-inline';
If admin_gui_api_url is not specified, the connect-src directive will depend on the requesting host and port. For example:
- If the request URL is
http://localhost:9112, theconnect-srcdirective will be `http://localhost:9112 - If the request URL is
https://localhost:9112, theconnect-srcdirective will behttps://localhost:9112.
If admin_gui_api_url is specified, the connect_src directive will depend on the presence of the http or https prefix:
- If
admin_gui_api_urlstarts withhttp://orhttps://, theconnect-srcdirective will be the value ofadmin_gui_api_url. - If
admin_gui_api_urldoesn’t start withhttp://orhttps://, theconnect-srcdirective will be the value ofadmin_gui_api_urlprefixed withhttp://when being accessed over HTTP, andhttps://when being accessed over HTTPS.
Customize the Content Security Policy header
Sometimes, the default Content Security Policy may not fit your needs. You can customize the Content Security Policy by setting the admin_gui_csp_header_value parameter in your Kong configuration. For example:
admin_gui_csp_header_value = default-src 'self'; connect-src 'self' https://my-admin-api.tld;
Note: An invalid Content Security Policy may break the functionality of Kong Manager or even expose it to security risks. Make sure to test the Content Security Policy before using it in production.
