Skip to main content
All CollectionsScan Findings
How does the “Content Security Policy (CSP) Header Not Set” test (10038) work in HawkScan?
How does the “Content Security Policy (CSP) Header Not Set” test (10038) work in HawkScan?

How to address “Content Security Policy (CSP) Header Not Set” issues found by HawkScan

Anthony Stinn avatar
Written by Anthony Stinn
Updated over a year ago

Question:

My scan results include findings for Content Security Policy (CSP) Header Not Set (ZAP plugin 10038) -- how should I investigate these?

Answer:

Alert Behavior

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page.

See: Content Security Policy (CSP) Header Not Set for more information on the alert logic.

If no CSP header is present or is misconfigured, this will cause an alert from StackHawk. In this case, there are a few ways we can fix this issue.

Resolving the Issue

CSP headers are likely either:

  1. Not set at the application level or

  2. If your scan is traversing a Web Application Firewall (WAF), the headers in the application responses back to the scanner may be getting altered in flight (or removed) by the WAF

    1. if you're scanning through a WAF, consider implementing local development scans instead -- this approach helps eliminate the complexities and false positives that defensive network infrastructure brings to your scans

In either case, review your CSP policies at the application level to determine whether they are missing or need to be addressed, make any needed updates to the application, then re-scan it with HawkScan.

Additional Information

Google's CSP Evaluator tool can be used to to validate your CSP policy against best practices -- simply paste your CSP policy in and the tool will deliver specific recommendations.

Did this answer your question?