Question:
My scan results include findings for Content Security Policy (CSP) Header Not Set (ZAP plugin 10038) -- how should I investigate these?
Answer:
Alert Behavior
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page.
See: Content Security Policy (CSP) Header Not Set for more information on the alert logic.
If no CSP header is present or is misconfigured, this will cause an alert from StackHawk. In this case, there are a few ways we can fix this issue.
Resolving the Issue
CSP headers are likely either:
Not set at the application level or
If your scan is traversing a Web Application Firewall (WAF), the headers in the application responses back to the scanner may be getting altered in flight (or removed) by the WAF
if you're scanning through a WAF, consider implementing local development scans instead -- this approach helps eliminate the complexities and false positives that defensive network infrastructure brings to your scans
In either case, review your CSP policies at the application level to determine whether they are missing or need to be addressed, make any needed updates to the application, then re-scan it with HawkScan.
Additional Information
Google's CSP Evaluator tool can be used to to validate your CSP policy against best practices -- simply paste your CSP policy in and the tool will deliver specific recommendations.