wathne / dat250-2024-assignment

MIT License
0 stars 0 forks source link

Content security Policy (CSP) Header Not Set #7

Open LisaCabot opened 1 month ago

LisaCabot commented 1 month ago

Description: The lack of tha protection may allow the use of a Cross-Site Scripting Potential Impact: Depends on the Cross-Site Scripting used when exploiting this lack of protection. Affected part of the application: Frontend, Page design Type of vulnerability: Lack of protection when designing the header (https://cwe.mitre.org/data/definitions/693.html)

wathne commented 2 weeks ago

https://flask.palletsprojects.com/en/stable/web-security/#content-security-policy-csp

wathne commented 2 weeks ago

"default-src 'self'" is too strict.

Screenshot 2024-11-04 at 13 21 17