Content Security Policy Header¶

Description¶

Content-Security-Policy header is missing or set to an insecure value.

Remediation¶

Set Content-Security-Policy header to a secure value.

GraphQL Specific¶

Apollo

Implement a Content Security Policy (CSP) header in the Apollo framework engine to mitigate the risk of XSS attacks by specifying which dynamic resources are allowed to load. Define a policy that restricts sources for scripts, styles, and other potentially unsafe content to trusted domains. Update the server configuration to include the CSP header with the appropriate directives, such as 'default-src', 'script-src', 'style-src', and 'img-src', tailored to your application's requirements.

Yoga

Implement a Content Security Policy (CSP) header in the Yoga framework engine to mitigate the risk of Cross-Site Scripting (XSS) and other code injection attacks. Define the policy directives to restrict the sources from which content can be loaded, and specify the valid sources for scripts, styles, and other resources. Ensure that the CSP header is configured correctly and tested thoroughly to prevent any unintended restrictions on legitimate content.

Awsappsync

Implement a Content Security Policy (CSP) header in your AWS AppSync responses by configuring your web service or the serverless function that serves the content. Use the CSP header to define which resources are allowed to load for your AppSync API, thereby reducing the risk of XSS attacks. Ensure that the CSP directives are appropriately restrictive to prevent the loading of unauthorized resources, while still allowing the necessary ones for your application to function correctly.

Graphqlgo

Implement a Content Security Policy (CSP) header in the GraphQL Go framework engine to mitigate the risk of Cross-Site Scripting (XSS) and other code injection attacks. Define a policy that specifies the valid sources of content and restricts the browser from loading malicious resources. Ensure that the CSP header is configured properly and tested to not interfere with the legitimate functionality of the GraphQL application.

Graphqlruby

Implement a Content Security Policy (CSP) header in your GraphQL Ruby application to mitigate the risk of Cross-Site Scripting (XSS) attacks. Define a policy that specifies the valid sources of content and restricts the browser from loading malicious resources. You can configure the CSP header in your Ruby on Rails application by adding it to the `config/initializers/content_security_policy.rb` file or by using middleware to set the header. Ensure that the CSP directives are compatible with the functionality of your application and test thoroughly to prevent breaking legitimate content loading.

Hasura

Implement a Content Security Policy (CSP) header in the Hasura engine by adding it to the list of HTTP headers in the Hasura console or configuration file. Ensure that the CSP directives are appropriately set to restrict the sources from which content can be loaded, thereby mitigating the risk of Cross-Site Scripting (XSS) and data injection attacks. Test the policy thoroughly to confirm that it does not interfere with legitimate Hasura functionalities.

Agoo

Implement a secure Content Security Policy (CSP) header in the Agoo framework engine to restrict resources such as scripts, styles, and other content to trusted sources only.

Ariadne

Implement a secure Content Security Policy (CSP) header in the Ariadne framework engine to restrict resources such as scripts, styles, and other content to trusted sources only.

Caliban

Implement a strict Content Security Policy (CSP) header in the Caliban framework to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content.

Dgraph

Implement a strict Content Security Policy (CSP) header in the Dgraph framework to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Dianajl

Implement a strict Content Security Policy (CSP) header in the DianaJL framework engine to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Directus

Implement a secure Content Security Policy (CSP) header in the Directus framework to restrict resources such as scripts, styles, and media to trusted sources only.

Flutter

Implement a secure Content Security Policy (CSP) header in your Flutter web application to restrict resources such as scripts, styles, and other content to trusted sources only.

Graphene

Implement a strict Content Security Policy (CSP) by setting the 'Content-Security-Policy' header in your Graphene framework engine to only allow trusted sources for scripts, styles, and other resources.

Graphqlapiforwp

Implement a strict Content Security Policy (CSP) header in the GraphQL API for WP framework to prevent content injection attacks.

Graphqlgophergo

Implement a strict Content Security Policy (CSP) header in the GraphQLGopherGo framework to prevent content injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Graphqljava

Implement a secure Content Security Policy (CSP) header in your GraphQL Java framework engine to restrict the sources of content and mitigate the risk of cross-site scripting (XSS) and data injection attacks.

Graphqlphp

Implement a secure Content Security Policy (CSP) header in your GraphQL-PHP application to restrict resources like scripts, styles, and other content to trusted sources only.

Graphqlyoga

Implement a strict Content Security Policy (CSP) header in your GraphQL Yoga server configuration to prevent content injection attacks.

Hypergraphql

Implement a strict Content Security Policy (CSP) header in the Hypergraphql framework to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Jaal

Implement a strict Content Security Policy (CSP) header in the Jaal framework engine to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Juniper

Implement a strict Content Security Policy (CSP) header in the Juniper framework engine to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Lacinia

Implement a strict Content Security Policy (CSP) header in the Lacinia framework engine to prevent content injection attacks by specifying allowed sources for scripts, styles, and other resources.

Lighthouse

Implement a strong Content Security Policy (CSP) by setting the `Content-Security-Policy` header to restrict resources such as scripts, styles, and images to trusted sources only.

Mercurius

Implement a strict Content Security Policy (CSP) header in the Mercurius framework to prevent content injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Morpheusgraphql

Implement a strict Content Security Policy (CSP) header in the Morpheus GraphQL framework engine to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Qglgen

Implement a strict Content Security Policy (CSP) header in the gqlgen framework to prevent content injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Sangria

Implement a secure Content Security Policy (CSP) header in the Sangria framework engine to restrict resources such as scripts, styles, and other content to trusted sources only.

Shopify

Implement a strict Content Security Policy (CSP) header in your Shopify theme to prevent cross-site scripting (XSS) and data injection attacks. Ensure the CSP is configured to only allow trusted sources for scripts, styles, and other resources.

Stepzen

Implement a strict Content Security Policy (CSP) header in your StepZen framework engine to prevent cross-site scripting (XSS) and data injection attacks. Define allowed sources for scripts, styles, and other resources to enhance security.

Strawberry

Implement a strict Content Security Policy (CSP) header in the Strawberry Framework engine to prevent content injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Tartiflette

Implement a secure Content Security Policy (CSP) header in the Tartiflette framework engine to restrict resources such as scripts, styles, and other content to trusted sources only.

Wpgraphql

Implement a secure Content Security Policy (CSP) header in the wpgraphql framework to restrict resources such as scripts, styles, and other content to trusted sources only.

REST Specific¶

Asp_net

Implement a strict Content-Security-Policy (CSP) header in your ASP.NET application by adding it to the response headers in the Global.asax.cs file or through custom middleware in the OWIN pipeline. Ensure that the CSP directive values are restrictive, allowing resources to be loaded only from trusted sources, and avoid using 'unsafe-inline' or 'unsafe-eval' for scripts and styles.

Ruby_on_rails

Implement a Content Security Policy (CSP) by adding the `Content-Security-Policy` header to your application's responses. In Ruby on Rails, you can use the `secure_headers` gem to manage CSP and other security-related headers. Configure the CSP directives to define the allowed sources for scripts, styles, images, and other resources to enhance your application's defense against XSS attacks. Ensure that the policy is strict enough to prevent loading of potentially malicious content, but permissive enough to allow legitimate functionality.

Next_js

Implement a Content Security Policy (CSP) by adding a `Content-Security-Policy` HTTP header in the `next.config.js` file or by setting it directly in your server-side code. Define a policy that specifies allowed sources for scripts, styles, and other resources to enhance security against XSS attacks. Test the policy thoroughly to ensure it doesn't break your application's functionality.

Laravel

Implement a Content Security Policy (CSP) by adding the 'Content-Security-Policy' header to your Laravel application's responses. This can be done by using middleware to set the header with appropriate directives that define the sources from which the application can load resources. Ensure that the directives are restrictive enough to prevent XSS attacks, but permissive enough to allow legitimate content to load. Test the policy thoroughly to avoid breaking the functionality of your application.

Express_js

Implement a Content Security Policy (CSP) by setting the `Content-Security-Policy` HTTP header. Use the `helmet` middleware in your Express.js application to easily configure and manage CSP. Define a policy that specifies the valid sources for various resource types and add it to your app using `helmet.contentSecurityPolicy()`. Test your policy thoroughly to ensure it allows legitimate resources while blocking potentially harmful ones.

Django

Implement the Content-Security-Policy (CSP) header by adding it to your Django application's response headers. Use the django-csp package or middleware to help define and control the CSP policy, ensuring that it is neither missing nor set to insecure values. Configure the policy directives to restrict the sources from which content can be loaded, effectively mitigating the risk of XSS attacks.

Symfony

Implement a Content-Security-Policy (CSP) header in your Symfony application by configuring it in the `security.yaml` file or by setting the header directly in your controller responses. Use the `nelmio/security-bundle` for an easier CSP configuration. Ensure that the CSP directives are appropriately strict to prevent XSS attacks without hindering the functionality of your application.

Spring_boot

Implement a Content Security Policy (CSP) by configuring the `Content-Security-Policy` HTTP response header in your Spring Boot application. Use the `WebSecurityConfigurerAdapter` to set a strict CSP policy that defines which resources are allowed to load, thus preventing XSS attacks. Ensure that the CSP directives are appropriately restrictive to your application's needs without allowing unsafe sources.

Flask

Implement the Content-Security-Policy (CSP) header by using Flask extensions such as Flask-Talisman to define a policy that specifies which content sources are valid. This helps prevent XSS attacks by controlling resources the user agent is allowed to load.

Nuxt

Implement a Content Security Policy (CSP) in your Nuxt.js application by adding the `helmet` middleware to set the `Content-Security-Policy` header. Configure the CSP directives in `nuxt.config.js` to define the allowed sources for scripts, styles, and other resources, ensuring to restrict sources to only trusted domains and self. Test the policy thoroughly to prevent breaking legitimate functionality.

Fastapi

Implement the Content-Security-Policy (CSP) header in FastAPI by using a middleware that sets the CSP header with secure values. This can be done by creating a custom middleware function that adds the CSP header to all responses or by using a third-party package like `starlette-csp`. Ensure that the CSP directives are appropriately configured to allow only trusted sources for scripts, styles, and other resources.

Frappe

Implement a strict Content Security Policy (CSP) header in the Frappe framework to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Genzio

Implement a strict Content Security Policy (CSP) header in the Genzio framework engine to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Gin

Implement a secure Content Security Policy (CSP) header in the Gin framework by setting the 'Content-Security-Policy' header with appropriate directives to restrict resources such as scripts, styles, and media to trusted sources only.

Gorilla

Implement a strong Content Security Policy (CSP) by setting the `Content-Security-Policy` header to restrict resources such as scripts, styles, and images to trusted sources only.

Hapi

Implement a strong Content Security Policy (CSP) header in your Hapi.js application by using the 'hapi-csp' plugin or manually setting the 'Content-Security-Policy' header to restrict resources like scripts, styles, and images to trusted sources.

Hono

Implement a strict Content Security Policy (CSP) header in the Hono framework engine to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Jersey

Implement a secure Content Security Policy (CSP) header in your Jersey framework application to restrict resources such as scripts, styles, and other content types to trusted sources only.

Koa

Implement a secure Content Security Policy (CSP) header in your Koa application by using the 'koa-helmet' middleware to define and enforce a strict CSP that only allows trusted sources for content.

Ktor

Implement a secure `Content-Security-Policy` header in your Ktor application by configuring the `Content-Security-Policy` feature to define and enforce a strict policy that only allows trusted sources for content.

Leptos

Implement a strict Content Security Policy (CSP) header in the Leptos framework to prevent cross-site scripting (XSS) and data injection attacks by specifying allowed sources for content such as scripts, styles, and media.

Macaron

Implement a secure Content Security Policy (CSP) header in the Macaron framework by configuring the middleware to define allowed sources for content such as scripts, styles, and images.

Phoenix

Implement a secure Content Security Policy (CSP) header in your Phoenix framework application to restrict resources such as scripts, styles, and other content to trusted sources only.

Redwoodjs

Implement a secure Content Security Policy (CSP) header in your RedwoodJS application by configuring the `Content-Security-Policy` header to only allow trusted sources for scripts, styles, and other resources.

Rocket

Implement a strict Content Security Policy (CSP) header in your Rocket framework application to prevent cross-site scripting (XSS) and data injection attacks. Define allowed sources for scripts, styles, and other resources to enhance security.

Sveltekit

Implement a secure Content Security Policy (CSP) in your SvelteKit application by setting the `Content-Security-Policy` header in your server configuration to restrict resources like scripts, styles, and images to trusted sources only.

Configuration¶

Identifier: protocol/header_content_security_policy

Examples¶

Ignore this check¶

checks:
  protocol/header_content_security_policy:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API7:2023
OWASP LLM: LLM02:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-14

Classification¶

CWE: 346

Score¶

CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS_SCORE: 4.3

References¶

https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html