This article is a part of our Web Security Knowledge Base (back to index)
Why Content Security Policy (CSP) Report-Only Header Found can be dangerous
The ‘Content Security Policy (CSP) Report-Only Header Found’ may indicate a work-in-progress implementation, or an oversight in promoting pre-Prod to Prod, etc.
Content Security Policy (CSP) adds a layer of security which helps to detect and mitigate certain types of attacks such as Cross Site Scripting (XSS) and data injection attacks. Hackers use XSS attacks to trick trusted websites into delivering malicious content. The browser executes all code from trusted origin and can’t differentiate between legitimate and malicious code, so any injected code is executed as well.
How to fix Content Security Policy (CSP) Report-Only Header Found
Ensure that your web server, application server, load balancer, etc. is properly configured to set the correct Content-Security-Policy header.
How does ScanRepeat report Content Security Policy (CSP) Report-Only Header Found
ScanRepeat gets every HTTP response and checks whether it contains the ‘Content-Security-Policy-Report-Only’ header. It reports every occurrence found along with the URL of the request.
Would you like to test your application now against this problem? Sign up for our free trialScan Your Web App Now