Enable CSP strict mode by default #39173
Labels
enhancement
New value added to drive a business result
Feature:Security/CSP
Platform Security - Content Security Policy
release_note:breaking
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
v8.0.0
Comments
epixa
added
release_note:breaking
Team:Security
|
Pinging @elastic/kibana-security |
This was referenced Jul 22, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CSP strict mode blocks access to Kibana for any legacy browser that doesn't support rudimentary content security policy protections. This ensures that a Kibana install is not put at risk by unintentionally supporting outdated and insecure browsers.
Prior to 8.0, csp.strict is disabled by default. From 8.0 onward, csp.strict should be enabled by default to provide the maximum amount of protection for most installs. Admins that wish to support outdated and insecure browsers (e.g. IE11) can explicitly disable CSP strict mode with
csp.strict: falsein kibana.yml.We should check this value in our telemetry as well so we have a better understanding of how common it is for people to disable strict mode to support things like IE11.
The text was updated successfully, but these errors were encountered: