Feature Value
Type Detection
Risk -
Covered by Agent

Application is not using CSP header properly. CSP stands for Content Security Policy.

This is a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type.

Content Security Policy (CSP) is a new(ish) technology put together by Mozilla that Web apps can use as an additional layer of protection against Cross-Site Scripting (XSS). This protection against XSS is the primary goal of CSP technology. A secondary goal to protect against clickjacking. Directives can be specified using a HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation) or HTML Meta tag. The HTTP headers below are defined by the specs:

Content-Security-Policy CSP Level 2 40+ Full January 2015 31+ Partial
July 2014
- -
Content-Security-Policy CSP 1.0 25+ 23+ 7+ Edge 12 build 10240+
X-Content-Security-Policy Deprecated - 4.0+ - 10+ Limited
X-Webkit-CSP Deprecated 14+ - 6+ -

Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviors on certain versions of browsers. Please avoid using deprecated X-* headers.

CSP HEADERS should always have SECURE values

More information

How to solve it

It is always a good security practise to send a proper value for this header

CSP seems to be free from having any downside. It is there to make sites safer, and even if a client browser does not support it, it is entirely backwards-compatible, so your site will not break for the client.

Insecure Configuration example:

    Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src *

More details about CSP