Wildcard Detected in Domain Portion of Content Security Policy (CSP) Directive
Description
The Content Security Policy (CSP) implemented on the target application contains a wildcard (*) in the domain portion of one or more directives. While wildcards can simplify policy management, they may inadvertently allow content from unintended or malicious subdomains, potentially weakening the security posture that CSP is designed to provide. This finding highlights specific CSP configurations that should be reviewed to ensure they align with security best practices and the principle of least privilege.
Remediation
Review all CSP directives that contain wildcard domain patterns and replace them with explicit, trusted domain listings wherever possible. Follow these steps:
1. Identify affected directives: Review the alert details to determine which CSP directives contain wildcards and on which domains.
2. Enumerate trusted sources: Create a comprehensive list of specific subdomains that legitimately need to serve content to your application.
3. Replace wildcards with explicit domains: Update your CSP to list only the specific subdomains required. For example, replace:
Content-Security-Policy: script-src 'self' https://*.example.comwith:
Content-Security-Policy: script-src 'self' https://cdn.example.com https://api.example.com
4. If wildcards are unavoidable: Ensure you have strict control over subdomain creation and implement monitoring for unauthorized subdomains. Consider using nonces or hashes for inline scripts as an additional layer of protection.
5. Test thoroughly: After updating your CSP, test all application functionality to ensure legitimate resources are not blocked. Monitor CSP violation reports to identify any issues.