Insecure Content Secure Policy Configuration
Test name: Headers Security Check
Summary |
---|
Browsers support many HTTP headers that can improve web application security. The HTTP security headers are exchanged between a web client (usually browser) and a server to specify the security-related details of the HTTP communication. Some HTTP headers that are indirectly related to privacy and security can also be considered as the HTTP security headers.
By enabling certain headers in your web application and server settings, you can increase your web application resistance to many common attacks. Implementing the right headers is a crucial aspect of a best-practice application setup.
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in trusted web page context. By using suitable CSP directives in HTTP response headers, you can selectively specify which data sources should be permitted in your web application.
The Content-Security-Policy HTTP header controls permitted content sources and many other parameters.
Impact |
---|
This vulnerability may expose the application to the following attack vectors:
- Cross-Site Scripting (XSS)
- Clickjacking
- Code injection
An attacker may:
- Download malware or execute malicious script on the user's machine
- Redirect to the malicious web pages
- Gain credentials or sensitive information
Location |
---|
- The issue can be found in the server configuration.
- The issue can be found in the source code on the server side.
Remedy suggestions |
---|
Verify that the HTTP Response Headers are configured correctly. If necessary, apply changes to the web server configuration and the application source code.
Proposed values for the Content Security Policy HTTP Header:
- Content-Security-Policy:
default-src 'self' data:; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content
Web server syntax:
- Apache:
Header always set [HEADER_NAME] [PROPOSED_VALUE]
- Nginx:
add_header [HEADER_NAME] [PROPOSED_VALUE] always;
Do not use:
- X-WebKit-CSP (deprecated): Experimental header used in the past by Chrome and other WebKit-based browsers.
- X-Content-Security-Policy (deprecated): Experimental header used in the past by browsers based on Gecko 2.
To find the detailed recommendations on correct configuration and all possible values of the HTTP Response Headers, refer to the References section.
Classification |
---|
- CWE-693
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
References |
---|
Updated over 3 years ago