Insecure or unset HTTP headers - Content-Security-Policy
Description
The application has unsafe configurations regarding the Content-Security-Policy header. This may be because: - Header is missing from server responses. - The header has not defined mandatory security policies. - Defined security policies contain insecure values.
Impact
- Embed content, scripts, blobs or images from potentially malicious sources. - Make possible to carry attacks like Cross-Site Scripting, Cross-Site Leaks, among others.
Recommendation
Set the Content-Security-Policy header in the server responses and configure it in a secure way.
Threat
Unauthorized attacker from Internet.
Expected Remediation Time
⏱️ 15 minutes.
Requirements
062 - Define standard configurations117 - Do not interpret HTML code175 - Protect pages from clickjacking349 - Include HTTP security headersRules
Http Host Serves Jsonp Security RiskHttp Unsafe Inline In Script SrcHttp Unsafe Wildcard In DirectiveHttp Missing Frame Ancestors HeaderHttp Missing Object Src AttributeHttp Missing Content Security PolicyHttp Deprecated Block All Mixed ContentHttp Missing Upgrade Insecure RequestsHttp Missing Script Src AttributeKotlin Csp Unsafe InlineJava Insecure Csp Unsafe InlineTypescript Unsafe Inline ScriptJavascript Unsafe Inline ScriptPhp Insecure Content Security Policy