Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Remediating Content Security Policy Violations

Erin Conry

Content Security Policy Violations are scanned as part of the Cross-site Scripting Security Tests used to evaluate the Web Application Security Risk Vector.

This security test assesses whether the website content and security policies are incongruent, by checking if any CSP violation error is thrown by the browser. Only non-report-only violations count toward grading.

Need to fix this?

  • Monitor websites for Content Security Policy (CSP) violations, as these frequently signal attempts to load unapproved external resources, creating a security risk. Violation details are in the evidence section and can be viewed in your browser's developer tools Console tab.

What is the risk? While the CSP configuration might effectively block a resource from being loaded or used, the fact that a CSP violation error is thrown means that the website content and security policies are misaligned and this can lead to unexpected application behaviors.

Having any unresolved CSP violations is not considered a best practice and can lead to alert fatigue, which will prevent the detection of actual threats.

How are the CSP Violations detected? We detect CSP violation errors thrown by the browser. Report-only violations do not count towards the grade but serve as informational data to test the CSP implementation without risking functionality.

How can I check the CSP Violations in my web application? Use Chrome Developer Tools (Console) to check for CSP Violation errors.

How can I check if a CSP configuration is congruent with the web application? When the web application does not throw CSP violation errors, its behavior and CSP configurations are aligned.

Does this impact my WAS Risk Vector Grade? Yes.

Possible Grades:

  • Good: No CSP violations (Weight = 0).
  • Warn: At least one unique CSP violation found (Weight = 10 or 100).

What will I see in the Portal?

Finding Message: The page attempted to load a resource that was blocked by the CSP policy. The presence of such error suggests that:

  • The website content and security policies are incongruent.
  • The website unknowingly includes third-party content.
  • Malicious code is injected into the website but blocked by the CSP.

Good to Know:

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.