What is Lack of Security Headers Content-Security-Policy Vulnerability?

Content-Security-Policy is the name of an HTTP response header that current browsers utilize to improve document security (or web page). The Content-Security-Policy header allows you to control how the browser loads resources such as JavaScript, CSS, and pretty much anything else.

Although it is most commonly used as an HTTP response header, it may also be used as a meta tag.

Impact

There is no direct impact on your website if CSP is not implemented. However, if your website is exposed to a Cross-site Scripting attack, CSP can prevent the vulnerability from being successfully exploited. You will lose this extra layer of protection if you do not implement CSP.

Browser Support for CSP

 Chrome

Content-Security-Policy CSP Level 3 – Chrome 59+ Partial Support
Content-Security-Policy CSP Level 2 – Chrome 40+ Full Support Since January 2015
Content-Security-Policy CSP 1.0 – Chrome 25+
X-Webkit-CSP Deprecated – Chrome 14-24

 Firefox

Content-Security-Policy CSP Level 3 – Firefox 58+ Partial Support
Content-Security-Policy CSP Level 2 – Firefox 31+ Partial Support since July 2014
Content-Security-Policy CSP 1.0 – Firefox 23+ Full Support
X-Content-Security-Policy Deprecated – Firefox 4-22

 Safari

Content-Security-Policy CSP Level 3 – Safari 15.4+ Partial Support
Content-Security-Policy CSP Level 2 – Safari 10+
Content-Security-Policy CSP 1.0 – Safari 7+
X-Webkit-CSP Deprecated – Safari 6

 Edge

Content-Security-Policy CSP Level 3 – Edge 79+ Partial Support
Content-Security-Policy CSP Level 2 – Edge 15+ Partial, 76+ Full
Content-Security-Policy CSP 1.0 – Edge 12+

 Internet Explorer

X-Content-Security-Policy Deprecated – IE 10-11 support sandbox only

for more information please refer to the link

ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.

Leave a Comment

Scroll to Top