| Details | |
|---|---|
| Alert ID | 10038-2 |
| Alert Type | Passive |
| Status | release |
| Risk | Informational |
| CWE | 693 |
| WASC | 15 |
| Technologies Targeted | All |
| Tags |
CWE-693 OWASP_2017_A06 OWASP_2021_A05 POLICY_PENTEST POLICY_QA_STD |
| More Info |
Scan Rule Help |
Summary
The “X-Content-Security-Policy” and “X-WebKit-CSP” headers are no longer recommended.
Solution
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.Other Info
References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
- https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
- https://www.w3.org/TR/CSP/
- https://w3c.github.io/webappsec-csp/
- https://web.dev/articles/csp
- https://caniuse.com/#feat=contentsecuritypolicy
- https://content-security-policy.com/