Detections
Analytics

Content Security Policy Missing 'Report-To'

low Web App Scanning Plugin ID 114796

Language:

Synopsis

Content Security Policy Missing 'Report-To'

Description

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

The 'report-to' directive allows websites to specify a reporting endpoint where browsers can send CSP violation reports. This helps administrators monitor policy violations and fine-tune their security policies.

While a Content Security Policy has been detected on this host, it is missing the 'report-to' directive, which means potential violations won't be reported automatically. This reduces visibility into security events that could help identify and remediate issues.

Solution

Add the 'report-to' directive to your existing Content Security Policy header.

See Also

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/report-to

Plugin Details

Severity: Low

ID: 114796

Type: remote

Published: 5/22/2025

Updated: 5/22/2025

Scan Template: basic, config_audit, full, overview, pci, quick, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.1

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information