Java Insecure Csp Unsafe Inline
Description
Detects insecure Content Security Policy (CSP) configurations that allow unsafe inline scripts. This creates a security risk by permitting the execution of inline JavaScript, which can lead to Cross-Site Scripting (XSS) attacks. The CSP 'unsafe-inline' directive undermines the protection against script injection attacks.
Weakness:
043 - Insecure or unset HTTP headers - Content-Security-Policy
Category: Protocol Manipulation
Detection Strategy
• Check method calls that configure HttpSecurity objects (Spring Security configuration)
• Check method calls that set CSP headers through HttpServletResponse objects
• Identify configurations or header values that include 'unsafe-inline' directives
• Report a vulnerability when CSP is configured to allow inline scripts through either security configuration or response headers
Vulnerable code example
import javax.servlet.http.HttpServletResponse;
public class ContentSecurityPolicy {
public void setHeader(HttpServletResponse response) {
// Vulnerable: Uses unsafe-inline which allows execution of inline scripts
response.setHeader("Content-Security-Policy", "script-src 'self' 'unsafe-inline'");
}
}✅ Secure code example
import javax.servlet.http.HttpServletResponse;
import java.security.SecureRandom;
import java.util.Base64;
public class ContentSecurityPolicy {
public void setHeader(HttpServletResponse response) {
// Generate cryptographically secure nonce for CSP
byte[] nonceBytes = new byte[16];...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.