tickets #161132
openContent-Security-Policy (CSP)
0%
Description
Dear team,
Attached document has urls that have issues with Web application headers
specifically with Content security policy and are marked by multiple third
party security assessment vendors such as bitsight to have Bad mark.The
reports from these vendor’s are being used by our customer to assess /
judge our security posture, which sometimes is becoming road blocker in new
/ renewal sales deals. Hence it recommended remediating this issue.
Description:
When used, their presence indicates a company has a good cyber security
posture. A properly configured Content-Security-Policy (CSP) can help
prevent cross-site scripting (XSS) attacks by restricting the origins of
JavaScript, CSS, and other potentially dangerous resources.
As the remediation differs from site to site here are some points:
-Implement directives that set valid source restrictions from where the
client can load frames and scripts as well as limit where the client can
submit form data.
-Restrict plugins and specify a valid resource for reporting policy
violations.
-Not contain “unsafe” keywords or include wildcards that are ineffective
for restricting sources.
--
Lukas Vyparina
Security Engineer
M: +421 907 941 136
SUSE Linux s.r.o.
Křižikova 148/34
186 00 Praha 8
Czech Republic
Files
Checklist
- CSP Wiki
- CSP TSP
- CSP Static
- CSP Planet
- CSP Status
- CSP Downloadcontent
- CSP Lizards
- CSP OSC-Collab
- CSP Hackweek
- CSP Code (Pagure)
- CSP OSRT
- CSP Mirrors
- CSP Fontinfo
- CSP 101
- CSP SVN
- CSP Codecs
- CSP Mauritius