Synopsis
Permissive Content Security Policy Detected
Description
Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.
One or several permissive directives have been detected. See output for more details.
Solution
The following directive configurations can be applied to have a safe content security policy:
- 'frame-ancestors' should be set to 'none' to avoid rendering of page in <frame>, <iframe>, <object>, <embed>, or <applet>.
- 'form-action' should be explicitly set to 'self' to restrict form submission to the origin which the protected page is being served.
- 'upgrade-insecure-requests' and 'block-all-mixed-content' should be set to avoid mixed content (URLs served over HTTP and HTTPS) on the page.
- Any of the 'unsafe-*' directives indicate that the action is considered unsafe & it is better to refactor the code to avoid using HTML event handlers that rely on this.
- data: https: http: URI in 'default-src', 'object-src', 'base-uri' & 'script-src' allow execution of unsafe scripts and should not be set.
- * and *.* in 'script-src' and other '-src' directives allows execution of unsafe scripts and should be restricted.
- 'default-src' should be explicitly set to 'self' or 'none' and individual directives required for each source type set more permissively as required
- * and *.* in 'default-src' allows various unconfigured parameters to default to a unsafe configuration and then should not be set.
- none, unsafe-eval, unsafe-inline and self keywords require wrapping with single quotations to be valid
- 'object-src' should be explicitly set to 'none' to avoid execution of unsafe scripts.
If these directives are required for business continuity in your environment, apply mitigating controls suitable for your environment and work with the vendors of the products for which these directives are required.
Plugin Details
Scan Template: basic, config_audit, full, overview, pci, quick, scan
Risk Information
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
Reference Information
CWE: 1021
OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A4
WASC: Application Misconfiguration
CAPEC: 103, 181, 222, 504, 506, 654
DISA STIG: APSC-DV-002560
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.4.3
PCI-DSS: 3.2-6.5