Detections
Analytics
Missing Content Security Policy
low Web App Scanning Plugin ID 112551
Language:
Synopsis
Missing Content Security PolicyDescription
Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.No CSP header has been detected on this host. This URL is flagged as a specific example.
Solution
Configure Content Security Policy on your website by adding 'Content-Security-Policy' HTTP header or meta tag http-equiv='Content-Security-Policy'.See Also
https://content-security-policy.com/
https://csp-evaluator.withgoogle.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
https://developers.google.com/web/fundamentals/security/csp/
Plugin Details
Severity: Low
ID: 112551
Type: remote
Family: HTTP Security Header
Published: 2/14/2019
Updated: 3/25/2024
Scan Template: basic, config_audit, full, overview, pci, quick, scan
Risk Information
VPR
Risk Factor: Low
Score: 2.2
CVSS v2
Risk Factor: Low
Base Score: 2.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Low
Base Score: 3.1
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
Reference Information
CWE: 1021
OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A4
WASC: Application Misconfiguration
CAPEC: 103, 181, 222, 504, 506, 654
DISA STIG: APSC-DV-002560
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.4.3
PCI-DSS: 3.2-6.5