Protocol: Content Security Policy¶

Identifier: content_security_policy

Scanner(s) Support¶

Description¶

The Content Security Policy header tells the browser where it's allowed to load assets from, like scripts and images. If it's missing or set too loosely, attackers can inject malicious code into your site, tricking users into running harmful scripts. This flaw often happens when developers assume the browser's default protections are enough and overlook setting or properly configuring the header. Ignoring it can lead to issues like cross-site scripting attacks, data theft, or taking control of your web pages, so it's crucial to set it carefully to limit the risk.

References:

• https://owasp.org/www-community/Security_Headers
• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
• https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  content_security_policy:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.