Deprecated Header Instruction Used to Implement Content Security Policy (CSP)
Description
The application implements Content Security Policy (CSP) using the deprecated X-Content-Security-Policy or X-WebKit-CSP HTTP headers instead of the standard Content-Security-Policy header. While these legacy headers were used by older browsers, they are no longer supported by modern browsers and may contain configuration issues that could weaken the application's security posture. This finding indicates that the CSP implementation should be reviewed and updated to use current standards.
Remediation
Replace the deprecated X-Content-Security-Policy and X-WebKit-CSP headers with the standard Content-Security-Policy header. Review the existing CSP directives for misconfigurations and update them according to current best practices.
Example of updating server configuration:
Apache (.htaccess or httpd.conf):
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'"Nginx:
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'" always;IIS (web.config):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'" />
</customHeaders>
</httpProtocol>
</system.webServer>Remove any existing X-Content-Security-Policy or X-WebKit-CSP headers from your configuration. Test the updated CSP thoroughly to ensure it doesn't break application functionality while providing appropriate security protections.