Content Security Policy (CSP)

Content Security Policy (CSP) is a line that can be optionally added to the Nginx SSL configuration for Guacamole using a prompt from the script. The default will be set to disable this, but it can be enabled via a prompt while running the script or easily toggled on/off after completion by commenting out or uncommenting the add_header Content-Security-Policy line from the guacamole_ssl.conf.

CSP, in short, is an HTTP response header which helps reduce XSS risks in modern browsers by declaring which dynamic resources are allowed to load. Overall, the addition of CSP should further strengthen the security of a Guacamole implementation using this installation script and its other security features.

That increased security may come at a cost of reduced compatibility, especially with older client OS's and Browsers. While I strive to test all aspects of the script and its results as completely as possible, it is possible that the addition of CSP may block or prevent features of Guacamole from functioning properly/at all. Should you find a case in which CSP blocks a function of Guacamole please report it following the How to Report an Issue instructions.

To measure the benefits of using CSP, especially comparing previous settings to future settings, I am using the following site:

Mozilla Observatory

Due to the requirements for specific parameters in CSP to allow Guacamole to function, it is not currently possible to get a perfect score in this test.

The current score is an A+ 100/100, however this test can reach a max score of 135/100. I know this seems odd, but think of it as scoring extra credit on an exam. So essentially the current settings in the script score a base of 90/100 (-10 for aspects of CSP considered less than ideal) and then get +10 "extra credit" (+5 for 2 aspects of the policy) for a total of 100 points.

https://content-security-policy.com/

The above site may provide more general background on what CSP is, how it works and what options and parameters can be set.