An Unsafe Content Security Policy (CSP) Directive in Use
Description
The application implements a Content Security Policy (CSP) that contains unsafe directives or misconfigurations. While CSP is a security mechanism designed to prevent cross-site scripting (XSS) and other code injection attacks, certain directive values can weaken or negate its protective benefits. This assessment identifies specific CSP configurations that may introduce security risks or fail to provide the intended protection against content injection attacks.
Remediation
Review each flagged CSP directive identified in the alert details and apply the specific remediation guidance provided for each issue. Common remediation steps include:
1. Remove unsafe keywords: Eliminate 'unsafe-inline' and 'unsafe-eval' from script-src and style-src directives. Instead, use nonces or hashes for inline scripts and styles.
2. Restrict source lists: Replace wildcard sources (*) with specific, trusted domains. Avoid using 'data:', 'http:', or 'https:' schemes without specific hosts.
3. Implement strict directives: Use 'default-src' as a fallback and explicitly define restrictive policies for script-src, style-src, and object-src.
4. Test changes thoroughly: Deploy CSP changes in report-only mode first using the Content-Security-Policy-Report-Only header to identify potential breakage before enforcement.
Example of a secure CSP header:
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self' 'nonce-{random}'; object-src 'none'; base-uri 'self'; frame-ancestors 'none';Consult the references and specific remediation advice in the alert details for guidance tailored to each identified issue.