Php Insecure Content Security Policy
Description
Detects insecure Content Security Policy (CSP) header configurations in PHP applications. Weak or misconfigured CSP headers can lead to insufficient protection against cross-site scripting (XSS) attacks by failing to properly restrict which resources can be loaded by the webpage.
Weakness:
043 - Insecure or unset HTTP headers - Content-Security-Policy
Category: Protocol Manipulation
Detection Strategy
• Identifies PHP header() function calls in the code
• Examines the first argument passed to header() to check if it's setting a Content-Security-Policy header
• Analyzes the CSP header value to determine if it contains insecure directives or configurations
• Reports header() calls where the CSP configuration could allow potentially malicious content to be loaded
Vulnerable code example
<?php
// Vulnerable: 'unsafe-inline' allows execution of inline scripts and event handlers
header("Content-Security-Policy: script-src 'self' 'unsafe-inline';");
// Vulnerable: 'unsafe-eval' enables potentially dangerous code execution via eval()
header("Content-Security-Policy: script-src 'self' 'unsafe-eval';");
// Vulnerable: Allows ALL sources with wildcard, defeating CSP protection...✅ Secure code example
<?php
// Secure: Strict CSP that disallows inline scripts and eval()
header("Content-Security-Policy: script-src 'self' https://trusted-cdn.com;");
// Secure: Comprehensive CSP covering multiple resource types with specific sources
header("Content-Security-Policy: default-src 'self';
script-src 'self' https://trusted-cdn.com;
style-src 'self' https://trusted-cdn.com; ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.