Missing Content Security (CSP) #1249
Description
Content Security Policy (CSP) is a mechanism to mitigate cross-site scripting (XSS) attacks and similar vectors by limiting which external web resources a web page is permitted to incorporate. Web applications that do not declare a CSP or that declare an overly permissive CSP may be unnecessarily exposed to XSS and similar attacks.
Set a CSP that implements the principle of least privilege to guard against HTML or code injection, as in
the following example:
Content-Security-Policy: default-src https:; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'
Set the most restrictive policy that maintains application functionality. Consider using a CSP generator to assist with this task.
If the application requires unsafe-inline policy directives to work, begin work to remove inline scripts and styles (including those dynamically added to the DOM by scripts) with the goal of eventually removing the unsafe-inline directives; prioritize the removal of inline scripts with the goal of removing unsafe-inline from script-src.