Wildcard Detected in Scheme Portion of Content Security Policy (CSP) Directive
Description
The Content Security Policy (CSP) for this application contains a wildcard (*) in the scheme portion of one or more directives. While wildcards in CSP can be useful, using them in the scheme portion (e.g., *://example.com) allows both HTTP and HTTPS protocols, which may introduce security risks by permitting insecure connections. This configuration analysis identifies potentially unintended side-effects of CSP settings and provides recommendations for strengthening the policy while maintaining compatibility.
Remediation
Review all CSP directives that contain wildcards in the scheme portion and replace them with explicit HTTPS-only schemes. Instead of using wildcard schemes like *://example.com, specify the secure protocol explicitly as https://example.com. If your application genuinely requires loading resources over both HTTP and HTTPS (which is not recommended), explicitly list both schemes separately.
Example - Before (Insecure):
Content-Security-Policy: script-src 'self' *://cdn.example.comAfter (Secure):
Content-Security-Policy: script-src 'self' https://cdn.example.com
After updating the CSP, thoroughly test your application to ensure all legitimate resources load correctly. Use browser developer tools to identify any CSP violations and adjust the policy as needed. Consider implementing CSP in report-only mode first (
Content-Security-Policy-Report-Only) to identify potential issues before enforcing the stricter policy.