Security Test: Content Security Policy Header¶

Description¶

Default Severity:

The Content Security Policy header tells the browser where it’s allowed to load assets from, like scripts and images. If it’s missing or set too loosely, attackers can inject malicious code into your site, tricking users into running harmful scripts. This flaw often happens when developers assume the browser’s default protections are enough and overlook setting or properly configuring the header. Ignoring it can lead to issues like cross-site scripting attacks, data theft, or taking control of your web pages, so it’s crucial to set it carefully to limit the risk.

Reference:

https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Identifier: protocol/header_content_security_policy

Examples¶

All configuration available:

checks:
  protocol/header_content_security_policy:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM02:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-14`
CWE	`346`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
CVSS Score	`4.3`