Content Security Policy (CSP)
The CSP tab allows you to view your current Content Security Policy to control what assets browsers should consider valid to load. The current CSP header is displayed in the box at the top of the page, and controls to modify the policy follow.
tCell may also suggest optimizations to reduce the size of the CSP. This typically involves combining two or more sites with the same domain but a different subdomain by using a wildcard for the subdomain.
Allowlist Insight platform URLs
When you install a tCell agent, the Insight platform URLs will be added to your CSP by default. tCell agents need access to these URLs to send security events to the tCell console and you must ensure that they are allowisted by your firewall.
For server agents, the URL is us.input.tcell.insight.rapid7.com
.
For browser agents, the destination is us.browser.tcell.insight.rapid7.com
.
Configure a Current Policy
In Current Policy, you can remove items from the current CSP. Select what you want to remove and click Remove Selected button below the list.
Add to a Policy
In "Add to Policy", you can add elements to your CSP based on knowledge you already have, or based on reports from browsers which are using your application. Review the the list of resources and add them to your policy. Browsers that encounter reported or blocked resources by CSP populate the EXCLUDED FROM POLICY section with those resources. Items in this list have been reported by a browser and since they are not a part of the current CSP, have violated it. You can review the list of resources and add those to your policy that are correct for your application. If you already know items you want to add to your CSP, you enter them in MANUAL POLICY ENTRY. You might want to do this to make more general rules to cover a class of agent-reported resources, or alternatively you may want to enter rules based on your knowledge of the application.
Ignored violations
The items listed in the Ignored list will not trigger a CSP violation, nor show in the OBSERVED VIOLATIONS list. Most commonly this is done for items that are used by known and vetted browser plugins.
Workflow-based documentation on configuration CSP in tCell is available in the CSP Configuration Guide.
Available APIs
You can also use the API to manage your CSPs. Test the APIs here.