Content Security Policy (CSP) Keywords Not Used Within Single Quotes
Description
Content Security Policy (CSP) keywords such as 'none', 'self', 'unsafe-inline', 'unsafe-eval', 'strict-dynamic', 'unsafe-hashes', and others must be enclosed in single quotes to function correctly. When these keywords are used without single quotes in CSP directives, browsers will not recognize them as special keywords and will instead treat them as invalid host sources, potentially weakening the intended security policy or causing unexpected behavior.
Remediation
Review all Content Security Policy directives and ensure that CSP keywords are enclosed in single quotes. The following keywords must always be quoted: 'none', 'self', 'unsafe-inline', 'unsafe-eval', 'strict-dynamic', 'unsafe-hashes', 'report-sample', 'wasm-unsafe-eval', and hash/nonce values.
Incorrect CSP header example:
Content-Security-Policy: script-src self unsafe-inline; default-src noneCorrect CSP header example:
Content-Security-Policy: script-src 'self' 'unsafe-inline'; default-src 'none'After updating the CSP directives, test the policy thoroughly using browser developer tools to ensure it functions as intended and does not break legitimate functionality. You can also use online CSP validators to verify the syntax is correct.