Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header

Info Nessus Plugin ID 50344

Synopsis

The remote web server does not take steps to mitigate a class of web application vulnerabilities.

Description

The remote web server in some responses sets a permissive Content-Security-Policy (CSP) frame-ancestors response header or does not set one at all.

The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and clickjacking attacks.

Solution

Set a non-permissive Content-Security-Policy frame-ancestors header for all requested resources.

See Also

http://www.nessus.org/u?55aa8f57

http://www.nessus.org/u?07cc2a06

https://content-security-policy.com/

https://www.w3.org/TR/CSP2/

Plugin Details

Severity: Info

ID: 50344

File Name: http_X_Content_Security_Policy_header.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 2010/10/26

Updated: 2018/11/15

Dependencies: 67257

Risk Information

Risk Factor: Info