Okta is working on enhancing Content Security Policy (CSP) headers for customer orgs. With this enablement, customers will notice a change in the size of their Okta application's response headers.
What is CSP
CSP (Content Security Policy) is an HTTP header used to provide directives to the browser to allowlist origins and types of content that can be loaded on the client side. This includes the source of scripts, images, iframes, media, and any content loaded from the internet.
Why CSP
CSP adds a layer of security that helps detect and mitigate security attacks like XSS (Cross-Site Scripting), injection attacks, clickjacking(in the case of frame-ancestors directive), etc. CSP makes it extremely difficult for the attackers to inject malicious scripts into our DOM.
Current State of CSP
We are performing a slow rollout for the customer orgs, starting the enablement of the headers in report-only.
During the slow rollout, customers will see two CSP headers
- content-security-policy
- Hard-Enforcement header that applies the policy
- content-security-policy-report-only
- Reporting Header, which only reports if there are errors.
An issue has been identified with the CSP rollout, where customers using API Gateway in their infrastructure could see a 401 error because Okta’s response header size, which contains the CSP, is greater than the maximum allowed limit for response headers of API Gateway.
- Content-Security-Policy and Content-Security-Policy-Report-Only headers
- API Gateway
- NGINX
The 401 error occurs because the total size of the HTTP response headers, which includes two CSP headers, exceeds the maximum size limit configured in the API Gateway or NGINX proxy.
To resolve this issue, determine if the error is caused by the response header size by performing the following steps:
-
Inspect the HTTP response from the application. Confirm that both
content-security-policyandcontent-security-policy-report-onlyheaders are present. -
Calculate the total size of the response headers.
-
Consult the documentation for the specific API Gateway or NGINX proxy to identify its maximum allowed limit for response header size.
NOTE: Common default limits are listed below.
-
- AWS API Gateway: Total combined size of all header values: 10 KB, not configurable.
- Google Cloud Apigee API Gateway: Max Response Header Size: 60 KB.
- Kong API Gateway: Max Response Header size is 8 KB, configurable using KONG_NGINX_PROXY_LARGE_CLIENT_HEADER_BUFFERS.
- NGINX Proxy: Default Proxy buffer size in NGINX is 4 KB, configurable using proxy_buffer_size.
-
If the total size of the response headers exceeds the configured limit, increase the limit on the API Gateway or NGINX proxy if the setting is configurable.
-
If the issue persists after increasing the limit, or if the limit is not configurable, contact Okta Support for assistance.
