Security. v0 aggressive test. Medium. Content Security Policy: default-src 'none' is being flagged as a wildcard. There are 9 instances in the app. This setting tells the browser what the approved sources of content are. Because it is set to none, this is a risk. This needs altering and testing in the app.use section where the security headers are currently set. Evidence can be found by examining the headers of the page in developer tools > network in the browser when using the pages.

jbrun001 / roombooking

Creative Commons Zero v1.0 Universal

1 stars 0 forks source link

Security. v0 aggressive test. Medium. Content Security Policy: default-src 'none' is being flagged as a wildcard. There are 9 instances in the app. This setting tells the browser what the approved sources of content are. Because it is set to none, this is a risk. This needs altering and testing in the app.use section where the security headers are currently set. Evidence can be found by examining the headers of the page in developer tools > network in the browser when using the pages. #40

Closed jbrun001 closed 5 months ago

jbrun001 commented 6 months ago

https://github.com/jbrun001/roombooking/blob/main/Security%20v0%20full%20test%20results%202024-03-05-ZAP-Report-.zip Full zipped security report with details results is here - please don't unzip into the roombooking folder as it's quite large.

jbrun001 commented 5 months ago

This is an odd error because setting the default to none is actually saying if there aren't any other instructions don't allow any access. It should not make any difference what this is, none or the url of production, because we specify everything elsewhere. This has now been changed as part of the #46 changes to be http://localhost:8000 or if there is a value in .env PRODUCTION_URL= it will be forced to that.

Issue closed