This article is a part of our Web Security Knowledge Base (back to index)

Why Content Security Policy (CSP) Header Not Set can be dangerous

Content Security Policy (CSP) adds a layer of security which helps to detect and mitigate certain types of attacks such as Cross Site Scripting (XSS) and data injection attacks. Hackers use XSS attacks to trick trusted websites into delivering malicious content. The browser executes all code from trusted origin and can’t differentiate between legitimate and malicious code, so any injected code is executed as well.

How to fix Content Security Policy (CSP) Header Not Set

To fix Content Security Policy (CSP) Header Not Set you need to configure your web server to return the Content-Security-Policy HTTP Header and giving it values to control what resources the browser is allowed to load for your page.

The syntax is:

Content-Security-Policy: <policy-directive>; <policy-directive>

where:

<policy-directive>

consists of: <directive> <value> with no internal punctuation.

Example:

Content-Security-Policy: default-src ‘self’ http://example.com;

For a full list of possible directives and more examples please check https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.

How does ScanRepeat report Content Security Policy (CSP) Header Not Set

ScanRepeat analyzes the value of the “Content-Security-Policy” header of every HTTP response. It reports every potential misconfiguration or weakness and provides origins of these requests.

Would you like to test your application now against this problem? Sign up for our free trial

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free