Insecure Protocol Detected in Content Security Policy (CSP)
Description
The application's Content Security Policy (CSP) contains directives that allow resources to be loaded over insecure HTTP protocol instead of requiring HTTPS. This weakens the security protections that CSP is designed to provide, as it permits potentially untrusted or tampered content to be loaded into the application. While CSP is present and configured, the use of insecure protocols in source directives undermines its effectiveness in preventing content injection attacks.
Remediation
Review and update all Content Security Policy directives to enforce HTTPS-only resource loading. Replace any HTTP URLs with their HTTPS equivalents, or use protocol-relative schemes where appropriate.
Recommended actions:
- Identify all CSP directives containing
http:protocol references in your policy - Replace insecure sources with HTTPS equivalents (e.g., change
http://example.comtohttps://example.com) - Consider using the
upgrade-insecure-requestsdirective to automatically upgrade HTTP requests to HTTPS - Remove the
http:scheme from source lists, keeping onlyhttps:
Example - Before (Insecure):
Content-Security-Policy: script-src 'self' http://cdn.example.com;After (Secure):
Content-Security-Policy: script-src 'self' https://cdn.example.com; upgrade-insecure-requests;Verify that all external resources referenced in your CSP are available over HTTPS before deploying changes. Test the updated policy thoroughly to ensure application functionality is not disrupted.