Javascript Unsafe Inline Script
Description
Detects unsafe usage of inline JavaScript scripts that violate Content Security Policy (CSP) best practices. This creates security risks by allowing arbitrary script execution, potentially enabling cross-site scripting (XSS) attacks. CSP is designed to prevent such attacks by controlling script execution sources.
Weakness:
043 - Insecure or unset HTTP headers - Content-Security-Policy
Category: Protocol Manipulation
Detection Strategy
• Identifies JavaScript inline script usage in HTML elements and attributes
• Checks for script content directly embedded in HTML rather than loaded from approved external sources
• Detects event handlers with inline JavaScript code in HTML attributes (like onclick="...")
• Reports violations when inline scripts are found that would be blocked by strict CSP rules
Vulnerable code example
const express = require('express');
const helmet = require('helmet');
const app = express();
// Vulnerable: Using unsafe-inline allows execution of arbitrary scripts
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],...✅ Secure code example
const express = require('express');
const helmet = require('helmet');
const crypto = require('crypto');
const app = express();
// Generate unique nonce per request
app.use((req, res, next) => {
res.locals.nonce = crypto.randomBytes(16).toString('base64');...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.