Version Affected: 20.06 onwards
Description:
When trying to configured multifactor methods, when the Request Type is set to Accept/Deny, you should be also able to choose between "User pushes Accept" or "User pushes displayed symbol"
It has been noted that this option is missing for some Admin Consoles.
Cause:
Security Header best practices does not take into account that one of the required CSS pages is hosted externally.
Resolution:
Adjust your Content-Security-Policy to allow remote style sheets.
For example, if your current CSP is set to :
default-src 'self' data: 'unsafe-inline' 'unsafe-eval';
You could adjust this to
default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://us-cloud.secureauth.com data:
'unsafe-inline' 'unsafe-eval';
Special Considerations :
We have our Security Team looking into the most secure CSP settings that we can set without losing functionality in the product. Once this task has been completed, we plan to update the Best Practices Doc.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.