logo

Database

Typescript Unsafe Inline Script

Description

Detects unsafe Content Security Policy (CSP) configurations that allow inline scripts. Using 'unsafe-inline' in script-src directives weakens XSS protections by allowing execution of inline JavaScript, which is a critical security risk.

Weakness:

043 - Insecure or unset HTTP headers - Content-Security-Policy

Category: Protocol Manipulation

Detection Strategy

    Scans Content Security Policy configurations in HTML meta tags or HTTP headers

    Identifies 'script-src' directives that contain the 'unsafe-inline' keyword

    Reports a vulnerability when CSP settings explicitly allow inline scripts through 'unsafe-inline'

Vulnerable code example

import { Request, Response } from 'express';

function setInsecureCsp(req: Request, res: Response): void {
  res.setHeader(
    "Content-Security-Policy",
    "script-src 'self' 'unsafe-inline'" // Vulnerable: allows inline scripts which can be exploited for XSS
  );
  res.send('<h1>Page with insecure CSP</h1>');...

✅ Secure code example

import { Request, Response } from 'express';
import crypto from 'crypto';

function setSecureCsp(req: Request, res: Response): void {
  // Generate random nonce for each request to secure inline scripts
  const nonce = crypto.randomBytes(16).toString('base64');
  
  res.setHeader(...