Content-Security-Policy Header is Missing

Description

The absence of the Content-Security-Policy (CSP) response header leaves a website vulnerable to various types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. Without CSP, attackers can exploit vulnerabilities in the web application to execute malicious scripts, steal sensitive data, or deface the site.

Recommendation

To enhance security, configure your server to send the Content-Security-Policy header for all pages with a well-defined policy that restricts the sources from which content can be loaded and executed. Implementing CSP effectively requires careful consideration of the web application’s functionality and dependencies.

References

• Mozilla: Web Security
• Mozilla: Content Security Policy (CSP)
• OWASP: Content Security Policy (CSP)
• CWE-16
• OWASP 2021-A5

Related Issues

• Referrer-Policy Header is Missing - Vulnerability
• Strict-Transport-Security Header is Missing - Vulnerability
• X-Content-Type-Options Header is Missing - Vulnerability
• X-XSS-Protection Header is Missing - Vulnerability

Tags:

HTTP Headers

Content Security Policy

Cross Site Scripting (XSS)

Application Misconfiguration