Description

The application has unsafe configurations regarding the Content-Security-Policy header. This may be because: - Header is missing from server responses. - The header has not defined mandatory security policies. - Defined security policies contain insecure values.

Impact

- Embed content, scripts, blobs or images from potentially malicious sources. - Make possible to carry attacks like Cross-Site Scripting, Cross-Site Leaks, among others.

Recommendation

Set the Content-Security-Policy header in the server responses and configure it in a secure way.

Threat

Unauthorized attacker from Internet.

Expected Remediation Time

⏱️ 15 minutes.

Requirements

Fixes