This article is a part of our Web Security Knowledge Base (back to index)

Why CSP Scanner: script-src unsafe-inline can be dangerous

Content Security Policy (CSP) adds a layer of security which helps to detect and mitigate certain types of attacks such as Cross Site Scripting (XSS) and data injection attacks. Hackers use XSS attacks to trick trusted websites into delivering malicious content. The browser executes all code from trusted origin and can’t differentiate between legitimate and malicious code, so any injected code is executed as well.

The ‘script-src’ directive specifies valid sources for JavaScript. The ‘unsafe-inline’ directive allows the use of inline resources, such as inline ‘<script>>’ and ‘<style>’ elements, ‘javascript:’ URLs and inline event handlers. This means that any places where a user can inject a script attribute into your website. Then the attacker is able to perform the XSS attack.

How to fix CSP Scanner: script-src unsafe-inline

Ensure that your web server, application server, load balancer, etc. is properly configured to set the correct Content-Security-Policy header.

How does ScanRepeat report CSP Scanner: script-src unsafe-inline

ScanRepeat gets the ‘Content-Security-Policy’ header of every HTTP response and checks whether it contains the ‘unsafe-inline’ value for the ‘script-src’ directive. It reports every URL that the ‘unsafe-inline’ occurred in the response.

Would you like to test your application now against this problem? Sign up for our free trial

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free