HTTP Security Headers - Remote Session Launcher

[parrishk]

Good day!

 

I was recently configuring remote session launcher and was unable to due the Content Security Policy not allowing "psrsl://*" on the 'default-src'.

 

Once I added this to the header it worked as expected.

 

My question is, can you provide a list of default headers that are now included in Passwordstate and should psrsl://* be included by default?

[support]

Hello,

 

With our Client Based Launcher, psrsl is only required as a configuration in Chrome - we have not added any security headers for this launcher, so the behaviour you've explained above is a bit unusual.

The headers we add to the payload are:

 

Embedded in Code

 Response.AddHeader("x-frame-options", "SAMEORIGIN")
 Response.AddHeader("X-XSS-Protection", "1; mode=block")
 Response.AddHeader("X-Content-Type-Options", "nosniff")
 Response.AddHeader("Referrer-Policy", "same-origin")
 Response.Headers.Remove("Server")

In Web.config file

<customHeaders>
        <add name="X-UA-Compatible" value="IE=edge" />
        <add name="Cache-Control" value="max-age=0, no-cache, must-revalidate" />
        <add name="Expires" value="Thu, 01 Jan 1970 00:00:00 GMT" />
        <add name="Pragma" value="no-cache" />
        <remove name="X-Powered-By" />
        <add name="Strict-Transport-Security" value="max-age=31536000" />
      </customHeaders>

 

Regards

Click Studios