Can I use the Content Security Policy Header to blacklist the loading of scripts from certain domains?
No you can’t. When you create a CSP policy, it’s basically a “deny all” policy. You then add back “allow from” exceptions to that. But you can’t do it the other way around; this is, you can’t, in a CSP policy, express “allow all” as a default and then add back specific “deny from” exceptions.
Related
Is there an elegant way to use a single set of ADB2C IEF custom policies across multiple environments (eg dev/test/prod)?
This issue has arisen as we have designed two custom IEF policies - one for signin, and separately one for signup
On the signin page ADB2C tries to generate a url for signup, but because we have a custom policy for signup we need to rewrite this URL in javascript so that it points to a different url
(as described in these q/a's) :
B2C - How to override sign up now link (custom policy)
Msal 2.0 - how to generate Sign Up link with Azure B2C?
But now we start hitting more issues. We can't rewrite the url to myapp.com/signup, because we need to rewrite it based on the environment. It needs to rewrite to dev-app.com/signup or test-app.com/signup etc
So the only way I can see to fix this is to use separate ContentDefinitions for each environment, each with customised javascript.
But then I also need individual policies for each environment so that each policy can use a specific content definition file!
Ugh. Is there an easier way than trying to maintain what should really be one set of policies across three sets of environments (which ends up becoming 6 sets of policies, content definition files etc)?!
Fantasising a bit - I think ideally we'd configure MSAL to send the environment to the policy somehow, and then at least make that variable available in the policy files so that they could perhaps fetch the content definition files with a query parameter?
<ContentDefinition Id="api.signin">
<LoadUri>https://storage.com/adb2c/signin-{Culture:RFC5646}.html?env={environment}</LoadUri>
Yes, use DevOps and Azure Pipelines.
You can then search and replace the variables that you need to change across environments.
I'm using Azure Front door with a web application firewall policy. Managed rule set 1.0 is configured.
It all works pretty well, apart from the password field in the login page of my web site. I see numerous block occasions based on rule 1.0-SQLI-942100 (SQL injection attempt) while the submitted password is legit, e.g. a password with the following format:
12-(Maria)_1002
Since the password field is quite critical (I do see numerous valid blocks with actual SQL injection attempts as well!), I don't want to add this field to the firewall exclusions.
Any idea how to prevent legit passwords from being blocked? I've considered excluding some chars from the input, but which ones need to be excluded?
You can set global exclusions on the WAF Policy to exclude fields in the request body from being scanned.
On the policy use Managed rules then Exclusions to add exclusions.
See:
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal#waf-exclusion-lists
This is in context of Azure API Management (APIM) Azure service. New UI changes in azure has changed behaviour of policy executions I believe.
I have one policy for jwt-validate set at global level for all APIs.
Recently I had to add new API which doesn't need JWT validation but certificate authentication.
So in APIM I created new API, product and added certificate authentication policy at product level.
When I run my API then JWT policy is also firing. How can I stop it from executing in this case. I removed but it stopped global + product level policy.
I want stop execution of global policy but I want product level policy to execute.
Please advise.
I had the same situation where I needed a specific API to skip a global policy that I had setup for JWT validation. The way that I made it work was by removing the <base /> tag from my API policies.
Of course, this removed all of my global policies not only the JWT-validator. But this was fine for my particular case.
This is not controlled by UI at all and wouldn't have been subject of recent updates. Policy chain is controlled with tag in policies. At operation level tag invokes API policy, at API it invokes Product, at product - global. If you remove from policy document chain will be broken and base policy invocation will not happen. So if for certain product you do not want global policy be invoked for every call - just remove from product policy.
I want to release my application in play store and app store.
But, That store require PrivacyPolicyUrI But I don't use signup system
And most application has terms of policy in their signup view
it is essential?
So...
PrivacyPolicy is required for non-signup application, too?
Terms of policy is required even if I'm just developer not company?
Yes, a Privacy Policy is required even for apps that do not require sign-up. However, a sign-up screen is good as you can use the clickwrap method of getting active constent from users to accept your Privacy Policy.
The requirement of a Privacy Policy is due to sensitive permissions you app may ask.
You can find the list of those permissions here: https://play.google.com/about/privacy-security/personal-sensitive/
Even if you don’t need and ask those permissions, make sure you know what third parties you use in the app that might trigger this requirement (eg. AdMob).
You’ll need to add the URL to the Privacy Policy URL at Store Listing section. The link must be publicly accessible. Google will not host it for you.
A Terms of Service is not required, but it’s useful to add rules regarding user-generated content, unacceptable behaviour and so on. For example, it’s useful to add intellectual property clauses, ownership over your content and licenses over user-generated content clauses.
I'm working on applying a custom company security policy in my company's application.
I use the AdalJs library and I see that even if I apply the my Azure policy to the AD application, because of the silent renewing tokens, I'm not able to comply with the policy requirements.
Is there a parameter to set in AdalJs library to disable the Renewing Tokens?
If not, I'll be forced to modify the library, but it is not what I'd like to do.
Thank u in advance.
OaicStef
No, there is no such parameter we can disable token renewing. If you have a common scenario require this feature, I suggest that you submit the feedback from here.
And if it is not a common scenario, you may need to modify the source code. For example, you can modify the acquireToken function to remove the relative code about _renewToken and modify it based on your special requirement.