Content Security Policy (CSP) header not implemented

By
Febna V M
Published on
19 Jun 2018
1 min read
Vulnerability
Content Security Policy

One of the primary computer security standards is CSP (Content Security Policy). This header was introduced to prevent attacks like cross-site scripting (XSS), clickjacking and other code injection attacks. These attacks usually result in the execution of malicious content in the trusted web page context. This issue leads to vulnerabilities like Cross-site Scripting and related attacks. Not implementing Content Security Policy in the application misses out on the extra layer of security. CSP can be used to restrict script loading to a single domain. There are some keywords for setting CSP directives:-

  • none: Denies loading resources from anywhere.
  • self: Used to point to document’s URL.
  • unsafe-inline: This tag permits running inline scripts
  • unsafe-eval: Permits eval() function

Example The below code is the example of content security policy.

        Content-Security-Policy: script-src 'self';

    

Impact

Using this vulnerability, an attacker can:-

  • use this vulnerability to perform cross-site scripting.
  • perform clickjacking on the end users.
  • perform code injection attacks.

Mitigation / Precaution

Beagle recommends enabling CSP on your website by sending the Content-Security-Policy in HTTP response headers. The header must instruct the browser to apply the policies you specified.

        Content-Security-Policy: script-src 'self';                                 /* Response Header */
        <meta http-equiv="Content-Security-Policy" content="script-src 'self';">  /* Meta-tag */

    

If the website refers to other URLs, these URLs can be whitelisted as follows.

        Content-Security-Policy: script-src https://example.beaglesecurity.com;

    
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment