.webp?w=696&resize=696,0&ssl=1 "NetScaler Update")
Citrix, a global leader in networking and application delivery, has introduced significant security enhancements in its recent NetScaler builds, specifically version 14.1.47.46 and 13.1.59.19.
However, customers upgrading to these versions are experiencing unexpected authentication issues, prompting Citrix to issue a formal advisory.
Enhanced Security with CSP, Unexpected Side Effects
Starting with these new releases, NetScaler now enables the Content Security Policy (CSP) header by default.
This proactive move is part of Citrix’s ongoing “secure by design and default” initiative.
The CSP header is a browser security feature that helps prevent cross-site scripting (XSS) and code injection, as well as other client-side attacks, by tightly controlling which resources are permitted to load in the browser.
While CSP offers critical protection by blocking unauthorized scripts or external content, Citrix acknowledges that the stricter enforcement may inadvertently disrupt existing authentication workflows.
The most affected are deployments using multi-factor authentication solutions, such as DUO integrated via RADIUS, SAML-based single sign-on, or custom Identity Provider (IDP) configurations that rely on scripts not covered by the new CSP policy.
How to Restore Access: Disabling Default CSP Header
Citrix is advising customers facing “broken” login portals or authentication failures after upgrading to:
- Temporarily disable the default CSP header on their NetScaler appliances.
- Flush the cache to ensure the immediate effect of this configuration change.
CLI Steps:
- Log in to the NetScaler CLI and execute: text
set aaa parameter -defaultCSPHeader DISABLED save ns config - Run : text
flush cache contentgroup loginstaticobjects
GUI Steps:
- Navigate to NetScaler Gateway > Global Settings.
- Under “Authentication Settings,” select “Change authentication AAA settings”.
- Set the Default CSP Header to DISABLED from the dropdown.
- Save and flush the cache as above.
Citrix Advises Reaching Out for Custom CSP Solutions
Citrix emphasizes that disabling the CSP header should be viewed as a temporary solution. For a more secure and permanent fix that ensures compliance with CSP while maintaining all authentication features, organizations are urged to contact Citrix Support.
Support teams can assist in customizing the CSP header for unique configurations, ensuring that legitimate scripts and integrations are CSP-compliant, restoring security and compatibility.
Administrators and security professionals are also directed to the official Citrix documentation for more information on CSP headers and best practices.
The new CSP header in NetScaler introduces vital security improvements, but customers must review and adapt their authentication integrations to ensure continued functionality. Citrix support is ready to guide customers through these changes to ensure maximum security and uptime.
.webp?resize=1600,900&ssl=1&description=NetScaler Update - Citrix, a global leader in networking and application delivery, has introduced significant security enhancements.){kind=link}