GET Web Application Security Evidence: Cross-Site Scripting Ingrid https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsecGet cross-site scripting evidence, including: Content Security Policy Configurations Cross-Domain Subresource Integrity Check Cross-Domain Subresource Integrity Failure CSP Violations For details specific to Web Application Security, use the ?risk_vector=web_appsec parameter. Other query parameters are listed in GET: Finding Details.Content Security Policy Configurations[details.assessment_name = content_security_policy]Example Response{ "message": "'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.", "documentUrl": "url", "source": "header", "directive": "script-src", "value": [ "'unsafe-inline'" ], "details":"", "cspSeverity": 10, "type": 301, ⊕ See additional evidences }Response Attributes Field Description message String A summary of the issue. documentUrl String The URL used to retrieve the CSP configuration. source String The location where the CSP configuration was loaded from. directive String The CSP directive evaluated from a particular piece of evidence. value Array The value of the CSP directive. details String cspSeverity Integer The severity of the CSP directive that will be used for grading. type Integer The type of HTML resource. Cross-Domain Subresource Integrity Check[assessmentName = cross_domain_subresource_integrity_check]Example Response{ "type": "link", "resource": "url", "hash": "Integrity attribute missing", ⊕ See additional evidences }Response Attributes Field Description type String The type of HTML resource. resource String A link to the resource as defined in the web application. hash String The hash value present in the HTML element. Cross-Domain Subresource Integrity Failure[assessmentName = cross_domain_subresource_integrity_failure]Example Response{ "type": "Script", "resource": "url", "hash": "Failed to find a valid digest in the 'integrity' attribute for resource 'url' with computed SHA-256 integrity 'CdZ5YfsFUiC3gCJeUOvnoduGoxgDH0EugrrlwIuw+U4='. The resource has been blocked.", "resolution": "blocked", ⊕ See additional evidences }Response Attributes Field Description type String The type of HTML resource. resource String A link to the resource as defined in the web application. hash String The hash value present in the HTML element. resolution String CSP Violations[details.assessment_name = csp_violation]Example Response{ "lineNumber": 165, "resolutionStatus": "blocked", "message": "Refused to load the script 'url' because it violates the following Content Security Policy directive: \"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.youtube.com\". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.\n", "resourceUrl": "url", ⊕ See additional evidences }Response Attributes Field Description lineNumber Integer The line number in the source page. resolutionStatus String The action the browser took when loading the resource. message String A summary of the issue. resourceUrl String The resource URL that had the CSP violation. January 15, 2026: Corrected assessmentName parameter to details.assessment_name May 15, 2024: Added details to Content Security Policy Configurations response. December 12, 2023: Included general finding details; Added table of contents. August 11, 2023: Published. Related articles Web Application Security Assessment: Cross-Site Scripting GET: Web Application Security Finding Details GET Web Application Security Evidence: Broken Authentication and Access Control GET Web Application Security Evidence: Security Misconfiguration Goals of Content-Security-Policy (CSP) Feedback 2 comments Sort by Date Votes Harry Paul April 16, 2025 14:26 There appears to be a typo. The Content Security Policy Configurations section has the assessmentName listed as “cross_domain_subresource_integrity_check” when I think it should be “content_security_policy”. 0 Ingrid April 16, 2025 15:07 You're correct. Thanks for letting us know! Fixing shortly. 0 Please sign in to leave a comment.