CSP http-equiv meta tags not recognized

securityheaders / securityheaders-bugs

Bug tracker for https://securityheaders.io

20 stars 0 forks source link

CSP http-equiv meta tags not recognized #107

Closed mdekstrand closed 1 year ago

mdekstrand commented 2 years ago

The scanner does not seem to be parsing content security policies stored in http-equiv META tags; see for example this report. It also does not detect the <META name=referrer …> tag as equivalent to Referer-Policy.

Since META tags are the only way to provide CSP (and related headers) on hosts such as GitHub Pages, it would be very helpful if the scanner could detect those headers, particularly for settings where the scanner is being used as an institutional compliance tool.

JAG-UK commented 1 year ago

+1 would like to see <meta http-equiv .../> included in the score. I can guess there might be a bunch of reasons why this might not be something the securityheaders team wants to support, but then the site should say so somewhere.

ScottHelme commented 1 year ago

Hey @JAG-UK @mdekstrand, we don't currently have plans to support meta tags. Sorry for the delay in a response here, but we'll update if the plans ever change 👍