Unsupported Hash Detected in Content Security Policy (CSP)
Description
The Content Security Policy (CSP) implementation on the target application contains hash values using unsupported or deprecated hash algorithms. CSP hashes are used to whitelist specific inline scripts or styles, but only certain hash algorithms (SHA-256, SHA-384, and SHA-512) are supported by modern browsers. Using unsupported hash algorithms will cause the CSP directive to be ignored, potentially allowing unintended inline code execution or reducing the effectiveness of the security policy.
Remediation
Update the Content Security Policy to use only supported hash algorithms (SHA-256, SHA-384, or SHA-512) for whitelisting inline scripts and styles. Follow these steps:
1. Identify Unsupported Hashes: Review your CSP headers or meta tags to locate any hash values using unsupported algorithms (such as MD5 or SHA-1).
2. Generate Correct Hashes: Recalculate hashes for your inline scripts and styles using a supported algorithm. You can generate SHA-256 hashes using the following methods:
// Using OpenSSL command line: echo -n "your-inline-script-content" | openssl dgst -sha256 -binary | openssl base64 // Using browser DevTools: // Check the console for CSP violation reports which include the correct hash
3. Update CSP Directives: Replace unsupported hashes with the newly generated ones in your CSP header or meta tag:
// Example HTTP Header:
Content-Security-Policy: script-src 'sha256-abc123...' 'sha384-def456...'
// Example Meta Tag:
<meta http-equiv="Content-Security-Policy"
content="script-src 'sha256-abc123...' 'sha384-def456...'">4. Test Thoroughly: Verify that all legitimate inline scripts and styles function correctly after updating the CSP, and monitor browser console for any CSP violation reports.