default-src Used in Content Security Policy (CSP)
Description
This informational alert indicates that the application implements a Content Security Policy (CSP) using the default-src directive. While CSP is a valuable security mechanism that helps prevent cross-site scripting (XSS) and other code injection attacks, certain configurations may contain weaknesses or produce unintended side-effects. This check evaluates the CSP implementation for potential misconfigurations and provides recommendations for strengthening the policy while maintaining compatibility.
Remediation
Review the detailed findings in the alert output to identify specific CSP configuration issues. For each identified issue, follow the provided remediation guidance. Common improvements include:
1. Remove unsafe directives: Eliminate 'unsafe-inline' and 'unsafe-eval' from script-src and style-src directives where possible. Use nonces or hashes for inline scripts instead.
2. Restrict source lists: Replace wildcard sources (*) with specific, trusted domains. Avoid overly broad sources like 'https:' or 'data:'.
3. Implement strict policies: Use specific directives (script-src, style-src, img-src) instead of relying solely on default-src for better control.
4. Test thoroughly: After making changes, test your application to ensure all legitimate functionality works as expected.
Example of a strengthened CSP header:
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self' 'nonce-{random}'; img-src 'self' https://trusted-cdn.example.com; object-src 'none'; base-uri 'self';Consult the references provided for detailed guidance on implementing secure CSP configurations.