Issue name

Content security policy: not enforced

Typical severity

Information

Issue description

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting attacks by disabling dangerous behaviours such as untrusted JavaScript execution. Websites can specify their security policy in a response header or meta tag, enabling fine-grained control over dangerous features like scripts and stylesheets.

Issue remediation

We recommend transitioning from using the Content-Security-Policy-Report-Only header to the Content-Security-Policy header for CSP deployment, ensuring effective policy enforcement.

References

Web Security Academy: What is CSP?
Content Security Policy (CSP)

Vulnerability classifications

Issue name

Typical severity

Issue description

Issue remediation

References

Vulnerability classifications

Web intro