Invalid Content Security Policy (CSP) Directive Identified in meta Elements
Description
The application implements Content Security Policy (CSP) directives through HTML meta elements that contain misconfigurations or potentially problematic settings. While CSP is a critical security mechanism designed to prevent cross-site scripting (XSS) and other code injection attacks, incorrect implementations may fail to provide adequate protection or introduce unintended compatibility issues. This check identifies CSP configurations that deviate from security best practices and provides specific guidance for improvement.
Remediation
Review the detailed findings in the alert output, which identify specific CSP misconfigurations and provide tailored remediation advice for each issue. Common remediation steps include:
1. Remove unsafe directives: Eliminate 'unsafe-inline' and 'unsafe-eval' from script-src and style-src directives. Instead, use nonces or hashes for inline scripts and styles.
2. Implement strict source allowlists: Specify explicit, trusted domains rather than using wildcards or overly broad patterns.
3. Add missing directives: Include essential directives such as default-src, script-src, style-src, and object-src to ensure comprehensive coverage.
4. Use HTTP headers instead of meta tags: When possible, implement CSP via HTTP response headers rather than meta elements for better control and support of all directives.
Example of a secure CSP implementation via HTTP header:
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self' 'nonce-{random}'; object-src 'none'; base-uri 'self'; frame-ancestors 'none';Test all changes thoroughly in report-only mode before enforcing the policy to avoid breaking legitimate functionality.