Missing object-src in CSP Declaration Severity: Information Summary# Invicti detected that object-src is missed in CSP declaration. It allows the injection of plugins which can execute JavaScript. Remediation# Set object-src to 'none' in CSP declaration: Content-Security-Policy: object-src 'none'; Classifications# ISO27001-A.14.2.5, CWE-16, WASC-15 Invicti Security Insights Using Content Security Policy (CSP) to Secure Web Applications Remote Hardware Takeover via Vulnerable Admin Software The dangers of incorrect CSP implementations Leverage Browser Security Features to Secure Your Website Vulnerability Index You can search and find all vulnerabilities Select Category Critical High Medium Low Best Practice Information OR Search Vulnerability Tags CSP Related Vulnerabilities Server-Side Request Forgery (Packet Cloud) Code Execution via File Upload Out of Band Code Execution via SSTI (Node.js Pug (Jade)) Malware Identified Code Evaluation (Apache Struts) S2-045