Unsafe security header: Content-Security-Policy

[basit511]

URL : https://www.humanprotocol.org/

Bug : Unsafe security header: Content-Security-Policy

EVIDENCE :

Response headers include the HTTP Content-Security-Policy security header with the following security issues:`default-src: The default-src directive should be set as a fall-back when other restrictions have not been specified. script-src: script-src directive is missing. object-src: Missing object-src allows the injection of plugins which can execute JavaScript. We recommend setting it to 'none'. base-uri: Missing base-uri allows the injection of base tags. They can be used to set the base URL for all relative (script) URLs to an attacker controlled domain. We recommend setting it to 'none' or 'self'.

Vulnerability description :

The Content-Security-Policy (CSP) header configured for the web application includes unsafe directives. The CSP header activates a protection mechanism implemented in web browsers which prevents exploitation of Cross-Site Scripting vulnerabilities (XSS) by restricting the sources from which content can be loaded or executed.

Risk description :

For example, if the unsafe-inline directive is present in the CSP header, the execution of inline scripts and event handlers is allowed. This can be exploited by an attacker to execute arbitrary JavaScript code in the context of the vulnerable

Recommendation :

Remove the unsafe values from the directives, adopt nonces or hashes for safer inclusion of inline scripts if they are needed, and explicitly define the sources from which scripts, styles, images or other resources can be loaded.

[basit511]

@ansaqib This vulnerability is repetitive.

[basit511]

@ivhus Any update on this?

[ansaqib]

@ivhus - What's the update on this?

[ivhus]

That's for 3rd party, Webflow

[basit511]

@ivhus Can we close this?

[ivhus]

@basit511 yes