Fixing Missing Content Security Policy (CSP)
Vulnerability assessment details, CWE reference metrics, and complete code-level patches.
Threat Profile
Vulnerability Analysis
A Content Security Policy (CSP) is an HTTP response header that restricts the resources (such as JavaScript, CSS, Images) that the browser is allowed to load for a given page, mitigating XSS risks.
How it is Detected
Identified by checking for the 'Content-Security-Policy' parameter in the HTTP response headers.
Remediation Guidelines
Configure your server to send a Content-Security-Policy header outlining trusted script sources.
Remediation Script (HTTP Response Header)
# SECURE REMEDIATION: Sample secure CSP header
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.google.com;Frequently Asked Questions
What is a Content Security Policy?
CSP is a security header that instructs the browser on which domains and source assets are allowed to load resources, blocking XSS.
How do I create a CSP policy?
Audit your external scripts, stylesheets, and iframe origins, then construct a directive matching only those targets.
What does 'unsafe-inline' mean?
It allows inline script blocks, which weakens CSP protections against XSS. Avoid using it.
Related Vulnerability Profiles
SQL Injection (SQLi)
Attackers execute arbitrary SQL commands, bypassing authentication and manipulating database schemas.
Stored Cross-Site Scripting (Stored XSS)
Malicious scripts are stored on the server (e.g. database) and executed when users request the compromised resource.
Reflected Cross-Site Scripting (Reflected XSS)
Malicious scripts are reflected off the web server (e.g. search queries) and executed immediately in the user's browser.
DOM-based Cross-Site Scripting (DOM XSS)
Vulnerability where the client-side JavaScript processes inputs in an unsafe way (e.g. using eval or innerHTML).