Protocol: Content Security Policy Header¶

Identifier: header_content_security_policy

Scanner(s) Support¶

Description¶

The Content Security Policy header tells the browser where it's allowed to load assets from. If it's missing or set too loosely, attackers can inject malicious code into your site, potentially leading to cross-site scripting attacks, data theft, or taking control of web pages.

How we test: We analyze HTTP response headers to detect if the Content Security Policy header is missing or configured too loosely. We check if CSP directives properly restrict where assets can be loaded from and if the policy is sufficient to prevent code injection attacks.

References:

• https://owasp.org/www-community/Security_Headers
• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
• https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  header_content_security_policy:
    skip: false

Reference¶

skip¶

Type : boolean

Skip the test if true.