Configuration Management / Weak Content Security Policy (CSP)
Weak Content Security Policy (CSP) is a vulnerability found in web and API configurations that can lead to serious security issues. This vulnerability is classified by the Common Weakness Enumeration (CWE) directory as CWE-79 and is listed in the OWASP Testing Guide as T5: Security Misconfiguration. CSP is a security feature of web browsers that allows websites to control the resources that can be loaded, such as scripts and images, to help prevent malicious attacks. A weak CSP can allow malicious actors to inject malicious code, resulting in data theft and other malicious activities.
Weak CSP can result in serious security risks for web and API applications. A weak CSP can allow malicious code to be injected, resulting in data theft, malicious activities, and other security issues. Additionally, a weak CSP can reduce the effectiveness of other security measures, such as the Same-Origin Policy, which is a security measure that restricts how documents and scripts interact with each other.
To address this vulnerability, it is important to ensure that a strong Content Security Policy (CSP) is implemented. A strong CSP should include a list of allowed sources for each type of resource, such as scripts and images, as well as a list of allowed actions, such as loading, executing, and rendering. Additionally, a strong CSP should include a list of denied sources and actions.
The following example demonstrates a strong CSP that allows scripts from the example.com domain, while denying scripts from all other domains:
Content-Security-Policy: script-src 'self' https://example.com; default-src 'none';