Content Security Policy Misconfiguration

Description

Content Security Policy (CSP) is a browser security mechanism that helps prevent cross-site scripting (XSS) and other code injection attacks by controlling which resources can be loaded and executed on a web page. This check identifies misconfigurations in the target's CSP implementation that may weaken security protections or create unintended side effects. While the presence of a CSP is positive, improper configuration can provide a false sense of security while leaving applications vulnerable to attacks.

Remediation

Review the CSP misconfiguration details provided in the alert findings. For each identified issue, take the following actions:

1. Examine the current CSP directive - Review the CSP value and source (HTTP header or meta tag) where the issue was detected.
2. Remove unsafe directives - Eliminate 'unsafe-inline', 'unsafe-eval', and wildcard (*) sources where possible. Use nonces or hashes for inline scripts instead.
3. Specify explicit sources - Replace broad domain allowlists with specific, trusted origins.
4. Implement CSP via HTTP headers - Use the Content-Security-Policy HTTP response header rather than meta tags for better coverage and security.
5. Test thoroughly - Use CSP in report-only mode initially to identify legitimate resources that may be blocked before enforcing the policy.

Example of a secure CSP header:

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self' 'nonce-{random}'; img-src 'self' https://trusted-cdn.example.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';

Consult the specific remediation guidance provided for each misconfiguration finding and refer to the CSP documentation links for detailed implementation guidance.