Configuration Management / Missing Content Security Policy

Web and API

Description

Missing Content Security Policy (CSP) is a configuration management vulnerability that is classified as CWE-676 under the Common Weakness Enumeration (CWE) directory. It is also listed as a Web and API vulnerability in the OWASP Testing Guide. In a nutshell, this vulnerability occurs when an application does not have a defined Content Security Policy (CSP), which is a security mechanism that enables web browser to control over what resources a web page can load.

Risk

Having a missing CSP is a serious risk as it can lead to cross site scripting (XSS) attacks, data theft, and malicious code execution. It is imperative that websites and applications have a valid CSP in place to reduce the risk of these attacks.

Solution

The solution to this vulnerability is to implement a valid CSP for an application or website. This can be done by using the Content-Security-Policy header in the response from the server. A valid CSP will contain a set of policy directives which allow the browser to restrict the types of resources that can be requested from other origins.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.