Content-Security-Policy-Vulnerability/EN
Check of the Content Security Policy (CSP)
If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.
Result positive | A secure configuration of the Content Security Policy (CSP) was found. |
Result negativ | Content Security Policy insecure |
Description | The Content Security Policy (CSP) is a security concept that is designed to reduce the risk of injection and execution of malicious commands in a web application (content injection attacks). By means of a whitelist (list of allowed sources), it determines from which sources Javascript code, images, fonts, and other content may be integrated into your site. |
Background | Content Security Policy (CSP) requires careful coordination and precise definition of the security concept. When this option is enabled, CSP has a significant impact on the way the browser renders (composes) the pages. For example, inline JavaScript is disabled by default and must be explicitly allowed in the policy. The CSP can help mitigate code injection attacks. |
Consequence | The Content Security Policy is a powerful way to increase the security on web pages. On the other hand, it is rarely possible to integrate a secure CSP header without modifying the source code of the web page. |
Solution/Tips | If the Content Security Policy is not configured securely, your web application may load content from insecure sources.
Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about Content Security Policy, please refer to SELFHTML>> Example for the header on the start page: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'"> <meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'"> <meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'"> Configuration of the web server If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via changes to .htaccess: # Download / Load content only from explicitly allowed sites # Example: Allow everything from own domain, nothing from external sources: Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';" Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example) |