Details
Alert ID 10055-1
Alert Type Passive
Status release
Risk Low
CWE 693
WASC 15
Technologies Targeted All
Tags CWE-693
OWASP_2017_A06
OWASP_2021_A05
More Info Scan Rule Help

Summary

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Solution

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

Other Info

The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses.

References

Code

org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java