Protocol: Content Security Policy Header¶
Identifier:
header_content_security_policy
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner |
|---|---|---|
Description¶
The Content Security Policy header tells the browser where its allowed to load assets from, like scripts and images. If its missing or set too loosely, attackers can inject malicious code into your site, tricking users into running harmful scripts. This flaw often happens when developers assume the browsers default protections are enough and overlook setting or properly configuring the header. Ignoring it can lead to issues like cross-site scripting attacks, data theft, or taking control of your web pages, so its crucial to set it carefully to limit the risk.
References:
- https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Configuration¶
Example¶
Example configuration:
---
security_tests:
header_content_security_policy:
assets_allowed:
- REST
- GRAPHQL
- WEBAPP
skip: false
Reference¶
assets_allowed¶
Type : List[AssetType]*
List of assets that this check will cover.
skip¶
Type : boolean
Skip the test if true.