Content Security Policy (CSP) Not Implemented

Description

Content Security Policy (CSP) is a browser security mechanism that helps prevent cross-site scripting (XSS), clickjacking, and code injection attacks by allowing web applications to specify which sources of content are trusted. The application does not implement CSP, as indicated by the absence of the Content-Security-Policy HTTP response header. Without CSP, browsers have no additional restrictions on loading resources, making the application more vulnerable to content injection attacks. While this is an informational finding, implementing CSP is considered a security best practice that provides defense-in-depth protection.

Remediation

Implement Content Security Policy by adding the Content-Security-Policy HTTP response header to all application responses. Follow these steps:

1. Analyze your application's resource requirements - Identify all sources from which your application loads scripts, stylesheets, images, fonts, and other resources.

2. Define a restrictive policy - Start with a strict policy and gradually adjust as needed. A basic policy example:

Content-Security-Policy: default-src 'self'; script-src 'self' https://code.jquery.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';

Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-violation-report

Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted-cdn.com"

add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted-cdn.com" always;

References

Related Vulnerabilities