Content Security Policy
Moogsoft has provided an optional enhanced Content Security Policy (CSP) as part of this release. CSP is a security standard introduced to prevent Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and other data injection attacks. For more information, see the Mozilla document on Content Security Policy.
The CSP is controlled by Nginx and is enabled by default. You can optionally disable it:
Edit the following file:
$MOOGSOFT_HOME/cots/nginx/config/conf.d/moog-ui-headers.conf
Comment the line that starts with
add_header Content-Security-Policyand save the file.Restart Nginx:
$MOOGSOFT_HOME/bin/utils/process_cntl nginx restart
Note
If you enable the enhanced CSP you must follow the steps below to allow access to external domains. If you want to access the UI with the Safari web browser, you must follow the steps below to configure Moogsoft Onprem for use with Safari.
Disable the enhanced Content Security Policy (optional)
If you enable the enhanced CSP, the following features require additional configuration to allow access to external domains:
Situation Room plugins to external domains
Situation client tools to external URLs
To allow access to required external domains:
Edit the following file:
$MOOGSOFT_HOME/cots/nginx/config/conf.d/moog-ui-headers.conf
Add a
frame-srcdirective to theContent-Security-Policyheader for the required domain. For example, run the following command to allow Google domains:sed -i "s/add_header Content-Security-Policy\(.*\)\" always/add_header Content-Security-Policy\1; frame-src 'self' *.google.com\" always/" $MOOGSOFT_HOME/cots/nginx/config/conf.d/moog-ui-headers.conf
Restart Nginx:
$MOOGSOFT_HOME/bin/utils/process_cntl nginx restart
Note
Moogsoft Onprem allows access to Pendo and WalkMe domains by default.
Configure Moogsoft Onprem for use with Safari
Due to a known issue in the Safari web browser, you must take additional steps if you've enabled the enhanced CSP and you want to access the UI with Safari:
Edit the following file:
$MOOGSOFT_HOME/cots/nginx/config/conf.d/moog-ui-headers.conf
Add the following websocket URLs to the
Content-Security-Policysection of the file. Substitute your hostname for<webhost>:wss://<webhost>/moogpoller/ws wss://<webhost>/integrations/ws/v1
You can update the configuration using a command similar to the following. Substitute your hostname for
<webhost>:sed -i.bak "s;connect-src 'self' app;connect-src 'self' wss://<webhost>/moogpoller/ws wss://<webhost>/integrations/ws/v1 app;g" $MOOGSOFT_HOME/cots/nginx/config/conf.d/moog-ui-headers.conf
Restart Nginx:
$MOOGSOFT_HOME/bin/utils/process_cntl nginx restart