Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header
Info Nessus Plugin ID 50344
SynopsisThe remote web server does not take steps to mitigate a class of web application vulnerabilities.
DescriptionThe remote web server in some responses sets a permissive Content-Security-Policy (CSP) frame-ancestors response header or does not set one at all.
The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and clickjacking attacks.
SolutionSet a non-permissive Content-Security-Policy frame-ancestors header for all requested resources.