Insecure Protocol Detected in Content Security Policy (CSP)

Severity: Information

Invicti detected that a URL uses HTTP whitelisted through a CSP declaration within an HTTPS page.


If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted. The unencrypted content is accessible to sniffers.

A man-in-the-middle attacker can intercept the request for the HTTP content and also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example), and therefore the connection is not safeguarded anymore.

Do not whitelist a domain loaded over HTTP.

Search Vulnerability

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works