Incorrect Content Security Policy (CSP) Implementation
Description
The application implements Content Security Policy (CSP) headers with configuration issues that may reduce the effectiveness of this security control. CSP is a browser security mechanism designed to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by restricting the sources from which content can be loaded. Misconfigurations in CSP directives can create unintended security gaps or fail to provide the intended protection against client-side attacks.
Remediation
Review and remediate the Content Security Policy configurations identified in the alert details. Follow these steps:
1. Examine each flagged CSP directive and review the specific remediation advice provided in the alert details for that configuration issue.
2. Remove overly permissive directives such as 'unsafe-inline' and 'unsafe-eval' where possible. If inline scripts or styles are necessary, use nonces or hashes instead:
<script nonce="random-value-generated-per-request">...</script> Content-Security-Policy: script-src 'nonce-random-value-generated-per-request'
3. Replace wildcard sources with specific, trusted domains. Avoid using '*' or overly broad patterns like 'https:' that allow any HTTPS source.
4. Implement all relevant directives including default-src, script-src, style-src, img-src, and frame-ancestors to ensure comprehensive protection.
5. Test the updated CSP in report-only mode first to identify any legitimate content that may be blocked:
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; report-uri /csp-report
6. Deploy the enforced policy after validation and monitor CSP violation reports to identify any issues.
Consult the references provided for detailed guidance on implementing secure Content Security Policies.