Content Security Policy (CSP) Header Not Set
Reference
Plugin Id: 10038 | CWE: 693
Remediation
To fix the “Content Security Policy (CSP) Header Not Set” vulnerability, you need to properly configure the Content Security Policy header in your web server or application. Here are the steps to remediate this issue:
-
Identify the web server or application: Determine the technology stack used for your website or application. This could be Apache, Nginx, IIS, or a specific web framework like Express.js or Django.
-
Configure the Content Security Policy header: Add the Content Security Policy header to your server or application configuration. The exact method will depend on the technology stack you are using.
- For Apache, add the following line to your
.htaccess
file or Apache configuration file:Header set Content-Security-Policy "default-src 'self';"
- For Nginx, add the following line to your server block or location block:
add_header Content-Security-Policy "default-src 'self';";
-
For IIS, open the IIS Manager, select your website, and go to the “HTTP Response Headers” section. Add a new header with the name “Content-Security-Policy” and the value “default-src ‘self’;”.
- For specific web frameworks, consult the documentation for that framework on how to set the Content Security Policy header.
- For Apache, add the following line to your
-
Test and verify: After configuring the Content Security Policy header, test your website or application to ensure that it is being applied correctly. Use browser developer tools or online CSP testing tools to check if the header is present and if it restricts the loading of external content.
About
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Risks
Not setting the Content Security Policy (CSP) header exposes your website or application to various security risks:
-
Cross Site Scripting (XSS) attacks: Without a CSP header, your website is vulnerable to XSS attacks, where an attacker can inject malicious scripts into your web pages and steal sensitive user information or perform unauthorized actions on behalf of the user.
-
Data injection attacks: Attackers can inject malicious content into your website or application, leading to data breaches, unauthorized access, or the distribution of malware to your users.
-
Site defacement or distribution of malware: Without proper CSP configuration, attackers can modify the appearance of your website or distribute malware to your users, damaging your reputation and potentially causing financial losses.
It is crucial to implement and configure the Content Security Policy header to protect your website or application from these security risks.