Description
The absence of the Content-Security-Policy (CSP) response header leaves a website vulnerable to various types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. Without CSP, attackers can exploit vulnerabilities in the web application to execute malicious scripts, steal sensitive data, or deface the site.
Recommendation
To enhance security, configure your server to send the Content-Security-Policy header for all pages with a well-defined policy that restricts the sources from which content can be loaded and executed. Implementing CSP effectively requires careful consideration of the web application’s functionality and dependencies.
References
- Mozilla: Web Security
- Mozilla: Content Security Policy (CSP)
- OWASP: Content Security Policy (CSP)
- CWE-16
- OWASP 2021-A5
Related Issues
- Referrer-Policy Header is Missing - Vulnerability
- Strict-Transport-Security Header is Missing - Vulnerability
- X-Content-Type-Options Header is Missing - Vulnerability
- X-XSS-Protection Header is Missing - Vulnerability
- Tags:
- HTTP Headers
- Content Security Policy
- Cross Site Scripting (XSS)
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024