This article is a part of our Web Security Knowledge Base (back to index)
Why CSP Scanner: Wildcard Directive can be dangerous
Content Security Policy (CSP) adds a layer of security which helps to detect and mitigate certain types of attacks such as Cross Site Scripting (XSS) and data injection attacks. Hackers use XSS attacks to trick trusted websites into delivering malicious content. The browser executes all code from trusted origin and can’t differentiate between legitimate and malicious code, so any injected code is executed as well.
Badly configured ‘Content-Security-Policy’ header, allowing wildcard or overly broadly sources increase the risk of the XSS attack.
How to fix CSP Scanner: Wildcard Directive
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
How does ScanRepeat report CSP Scanner: Wildcard Directive
ScanRepeat analyzes every HTTP response ‘Content-Security-Policy’ header and checks its directives. It reports every occurrence of directives which allow wildcard sources, are not defined, or are overly broadly defined.
Would you like to test your application now against this problem? Sign up for our free trial
Scan Your Web App Now