Skip to main content

Content Security Policy Header

Description

Content-Security-Policy header is missing or set to an insecure value.

Remediation

Set Content-Security-Policy header to a secure value.

GraphQL Specific

Apollo

Implement a Content Security Policy (CSP) header in the Apollo framework engine to mitigate the risk of XSS attacks by specifying which dynamic resources are allowed to load. Define a policy that restricts sources for scripts, styles, and other potentially unsafe content to trusted domains. Update the server configuration to include the CSP header with the appropriate directives, such as 'default-src', 'script-src', 'style-src', and 'img-src', tailored to your application's requirements.

Yoga

Implement a Content Security Policy (CSP) header in the Yoga framework engine to mitigate the risk of Cross-Site Scripting (XSS) and other code injection attacks. Define the policy directives to restrict the sources from which content can be loaded, and specify the valid sources for scripts, styles, and other resources. Ensure that the CSP header is configured correctly and tested thoroughly to prevent any unintended restrictions on legitimate content.

Awsappsync

Implement a Content Security Policy (CSP) header in your AWS AppSync responses by configuring your web service or the serverless function that serves the content. Use the CSP header to define which resources are allowed to load for your AppSync API, thereby reducing the risk of XSS attacks. Ensure that the CSP directives are appropriately restrictive to prevent the loading of unauthorized resources, while still allowing the necessary ones for your application to function correctly.

Graphqlgo

Implement a Content Security Policy (CSP) header in the GraphQL Go framework engine to mitigate the risk of Cross-Site Scripting (XSS) and other code injection attacks. Define a policy that specifies the valid sources of content and restricts the browser from loading malicious resources. Ensure that the CSP header is configured properly and tested to not interfere with the legitimate functionality of the GraphQL application.

Graphqlruby

Implement a Content Security Policy (CSP) header in your GraphQL Ruby application to mitigate the risk of Cross-Site Scripting (XSS) attacks. Define a policy that specifies the valid sources of content and restricts the browser from loading malicious resources. You can configure the CSP header in your Ruby on Rails application by adding it to the config/initializers/content_security_policy.rb file or by using middleware to set the header. Ensure that the CSP directives are compatible with the functionality of your application and test thoroughly to prevent breaking legitimate content loading.

Hasura

Implement a Content Security Policy (CSP) header in the Hasura engine by adding it to the list of HTTP headers in the Hasura console or configuration file. Ensure that the CSP directives are appropriately set to restrict the sources from which content can be loaded, thereby mitigating the risk of Cross-Site Scripting (XSS) and data injection attacks. Test the policy thoroughly to confirm that it does not interfere with legitimate Hasura functionalities.

REST Specific

Asp_net

Implement a strict Content-Security-Policy (CSP) header in your ASP.NET application by adding it to the response headers in the Global.asax.cs file or through custom middleware in the OWIN pipeline. Ensure that the CSP directive values are restrictive, allowing resources to be loaded only from trusted sources, and avoid using 'unsafe-inline' or 'unsafe-eval' for scripts and styles.

Ruby_on_rails

Implement a Content Security Policy (CSP) by adding the Content-Security-Policy header to your application's responses. In Ruby on Rails, you can use the secure_headers gem to manage CSP and other security-related headers. Configure the CSP directives to define the allowed sources for scripts, styles, images, and other resources to enhance your application's defense against XSS attacks. Ensure that the policy is strict enough to prevent loading of potentially malicious content, but permissive enough to allow legitimate functionality.

Next_js

Implement a Content Security Policy (CSP) by adding a Content-Security-Policy HTTP header in the next.config.js file or by setting it directly in your server-side code. Define a policy that specifies allowed sources for scripts, styles, and other resources to enhance security against XSS attacks. Test the policy thoroughly to ensure it doesn't break your application's functionality.

Laravel

Implement a Content Security Policy (CSP) by adding the 'Content-Security-Policy' header to your Laravel application's responses. This can be done by using middleware to set the header with appropriate directives that define the sources from which the application can load resources. Ensure that the directives are restrictive enough to prevent XSS attacks, but permissive enough to allow legitimate content to load. Test the policy thoroughly to avoid breaking the functionality of your application.

Express_js

Implement a Content Security Policy (CSP) by setting the Content-Security-Policy HTTP header. Use the helmet middleware in your Express.js application to easily configure and manage CSP. Define a policy that specifies the valid sources for various resource types and add it to your app using helmet.contentSecurityPolicy(). Test your policy thoroughly to ensure it allows legitimate resources while blocking potentially harmful ones.

Django

Implement the Content-Security-Policy (CSP) header by adding it to your Django application's response headers. Use the django-csp package or middleware to help define and control the CSP policy, ensuring that it is neither missing nor set to insecure values. Configure the policy directives to restrict the sources from which content can be loaded, effectively mitigating the risk of XSS attacks.

Symfony

Implement a Content-Security-Policy (CSP) header in your Symfony application by configuring it in the security.yaml file or by setting the header directly in your controller responses. Use the nelmio/security-bundle for an easier CSP configuration. Ensure that the CSP directives are appropriately strict to prevent XSS attacks without hindering the functionality of your application.

Spring_boot

Implement a Content Security Policy (CSP) by configuring the Content-Security-Policy HTTP response header in your Spring Boot application. Use the WebSecurityConfigurerAdapter to set a strict CSP policy that defines which resources are allowed to load, thus preventing XSS attacks. Ensure that the CSP directives are appropriately restrictive to your application's needs without allowing unsafe sources.

Flask

Implement the Content-Security-Policy (CSP) header by using Flask extensions such as Flask-Talisman to define a policy that specifies which content sources are valid. This helps prevent XSS attacks by controlling resources the user agent is allowed to load.

Nuxt

Implement a Content Security Policy (CSP) in your Nuxt.js application by adding the helmet middleware to set the Content-Security-Policy header. Configure the CSP directives in nuxt.config.js to define the allowed sources for scripts, styles, and other resources, ensuring to restrict sources to only trusted domains and self. Test the policy thoroughly to prevent breaking legitimate functionality.

Fastapi

Implement the Content-Security-Policy (CSP) header in FastAPI by using a middleware that sets the CSP header with secure values. This can be done by creating a custom middleware function that adds the CSP header to all responses or by using a third-party package like starlette-csp. Ensure that the CSP directives are appropriately configured to allow only trusted sources for scripts, styles, and other resources.

Configuration

Identifier: protocol/header_content_security_policy

Examples

Ignore this check

checks:
protocol/header_content_security_policy:
skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API7:2023

  • pci: 6.5.10

  • gdpr: Article-32

  • soc2: CC6

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-14

Classification

  • CWE: 346

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVSS_SCORE: 4.3

References