Configuration Management / Missing Content Security Policy

Description

Missing Content Security Policy (CSP) is a configuration management vulnerability that is classified as CWE-676 under the Common Weakness Enumeration (CWE) directory. It is also listed as a Web and API vulnerability in the OWASP Testing Guide. In a nutshell, this vulnerability occurs when an application does not have a defined Content Security Policy (CSP), which is a security mechanism that enables web browser to control over what resources a web page can load.

Risk

Having a missing CSP is a serious risk as it can lead to cross site scripting (XSS) attacks, data theft, and malicious code execution. It is imperative that websites and applications have a valid CSP in place to reduce the risk of these attacks.

Solution

The solution to this vulnerability is to implement a valid CSP for an application or website. This can be done by using the Content-Security-Policy header in the response from the server. A valid CSP will contain a set of policy directives which allow the browser to restrict the types of resources that can be requested from other origins.

Example

The following example will set a valid CSP for an application:

Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com;

This will allow the application to only load resources from the same origin and from https://example.com.