Content Security Policy Configuration Findings are scanned as part of the Cross-site Scripting Security Tests used to evaluate the Web Application Security Risk Vector.
We assess whether the web application includes an effective CSP configuration that helps prevent cross-site scripting and dynamic content injection attacks. We adhere to best practices set forth by Google via the CSP Evaluator project, which aligns with the OWASP Top 10.
A good CSP should:
- Implement directives that set valid source restrictions from where the client can load frames and scripts as well as limit where the client can submit form data.
- Restrict plugins and specify a valid resource for reporting policy violations.
- Not contain “unsafe” keywords or include wildcards that are ineffective for restricting sources.
Need to fix this?
- Replace 'unsafe-inline'/'unsafe-eval' with script-src nonces or hashes.
- Use strict-dynamic with nonces/hashes for modern, non-brittle CSPs.
- Define a strict default-src, then narrow specific directives (script-src, style-src, etc.).
- Validate and fully qualify all source values.
- If headers are set outside the application (no nonces), use hash-based policies or inject CSP at the application layer to enable nonces.
Additionally, consider evaluating the CSP policy using an online tool such as csp-evaluator or Google Chrome’s Lighthouse tool to identify common mistakes or bad practices.
Our assessment focuses on the most important objective of a good CSP: preventing cross-site scripting and dynamic content injection attacks, including on the following criteria:
- Existing and properly formatted CSP configuration;
- Presence of the `default-src`, `script-src`, and `object-src` directives;
- No use of 'unsafe-inline' or 'unsafe-eval' (or complementary use of nonces or hashes in `script-src`);
- No use of wildcards or allow lists;
- No use of plain URL schemes in certain directives.
We evaluate only CSP policies included in content-security-policy headers and Content-Security-Policy meta tags. We do not evaluate content-security-policy-report-only headers.
What is the risk? A non-existent or ineffective CSP policy leaves a web application vulnerable to attacks such as cross-site scripting and dynamic content injection. These can cause severe damage, including sensitive data theft, session hijacking, and malicious content execution.
How are the CSP configurations detected? We detect CSP policies that are defined via HTTP headers, HTML metatags, or both. Multiple policies are interpreted cumulatively, with stricter policies taking precedence.
How can I check the CSP configuration in my web application? Use Chrome Developer Tools to check for CSP configurations defined in the HTTP headers or HTML metatags.
How can I check if a CSP configuration is effective? Use tools such as the CSP Evaluator to check if the CSP configuration is properly and effectively configured (i.e., it does not include syntax or other errors that may render it unusable).
Our evaluation of CSP configurations may differ from the evaluation performed by other tools, such as CSP Evaluator. Make sure to check the evidence that we collect in Bitsight and its Failed or Passed status.
Does this impact my WAS Risk Vector Grade? Yes.
Possible Grades:
- Good: CSP policy is issue-free. (Weight = 0)
- Fair: No CSP or ineffective CSP found. (Weight = 0 or 0.1)
What will I see in the Portal?
Issue: The Content Security Policy is missing or insecure.
Details: The Content Security Policy is not effective at meeting the security objectives defined for preventing Cross Site Scripting attacks, such as:
- Preventing loading of unauthorized content resources and scripts
- Preventing clickjacking and other nested frame attacks
- Ensuring that web forms and links are behaving as intended.
More to Learn:
- Users can self-evaluate CSPs using Google Chrome’s Lighthouse report feature to identify potential issues.
- Want to learn more about how we assess Content Security Policy Configurations? Learn more at Bitsight Academy!
Feedback
0 comments
Please sign in to leave a comment.