Jump to content

HTTP Security Headers - Remote Session Launcher

Recommended Posts

Good day!


I was recently configuring remote session launcher and was unable to due the Content Security Policy not allowing "psrsl://*" on the 'default-src'.


Once I added this to the header it worked as expected.


My question is, can you provide a list of default headers that are now included in Passwordstate and should psrsl://* be included by default?

Link to post
Share on other sites



With our Client Based Launcher, psrsl is only required as a configuration in Chrome - we have not added any security headers for this launcher, so the behaviour you've explained above is a bit unusual.

The headers we add to the payload are:


Embedded in Code

 Response.AddHeader("x-frame-options", "SAMEORIGIN")
 Response.AddHeader("X-XSS-Protection", "1; mode=block")
 Response.AddHeader("X-Content-Type-Options", "nosniff")
 Response.AddHeader("Referrer-Policy", "same-origin")

In Web.config file

        <add name="X-UA-Compatible" value="IE=edge" />
        <add name="Cache-Control" value="max-age=0, no-cache, must-revalidate" />
        <add name="Expires" value="Thu, 01 Jan 1970 00:00:00 GMT" />
        <add name="Pragma" value="no-cache" />
        <remove name="X-Powered-By" />
        <add name="Strict-Transport-Security" value="max-age=31536000" />



Click Studios

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...