Content-Security-Policy Header is Missing
Impact: Low
Description
The absence of the Content-Security-Policy (CSP) response header leaves a website vulnerable to various types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. Without CSP, attackers can exploit vulnerabilities in the web application to execute malicious scripts, steal sensitive data, or deface the site.
Recommendation
To enhance security, configure your server to send the Content-Security-Policy header for all pages with a well-defined policy that restricts the sources from which content can be loaded and executed. Implementing CSP effectively requires careful consideration of the web application’s functionality and dependencies.
References
- CWE-16
- Mozilla: Content Security Policy (CSP)
- Mozilla: Web Security
- OWASP 2021-A5
- OWASP: Content Security Policy (CSP)
👉 You might also like:
Strict-Transport-Security Header is Missing - Vulnerability
X-Content-Type-Options Header is Missing - Vulnerability
X-XSS-Protection Header is Missing - Vulnerability
Referrer-Policy Header is Missing - Vulnerability
Last updated on May 13, 2024