CSP HEADER MISSING
Application is not using CSP header properly. CSP stands for Content Security Policy.
This is a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type.
Content Security Policy (CSP) is a new(ish) technology put together by Mozilla that Web apps can use as an additional layer of protection against Cross-Site Scripting (XSS). This protection against XSS is the primary goal of CSP technology. A secondary goal to protect against Directives can be specified using an HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag. The HTTP headers below are defined by the specs:
- Content-Security-Policy : Defined by W3C Specs as standard header, used by Chrome version 25 and later, Firefox version 23 and later, Opera version 19 and later.
- X-Content-Security-Policy : Used by Firefox until version 23, and Internet Explorer version 10 (which partially implements Content Security Policy).
- X-WebKit-CSP : Used by Chrome until version 25
||40+ Full January 2015||31+ Partial
||25+||23+||7+||Edge 12 build 10240+|
Note: It is known that having both
causes unexpected behaviors on certain versions of browsers. Please avoid using deprecated
How to solve it
It is always a good security practice to send a proper value for this header
CSP seems to be free from having any downside. It is there to make sites safer, and even if a client browser does not support it, it is entirely backwards-compatible, so your site will not break for the client.