Bug Title: Missing Content-Security-Policy (CSP) Header on REDACTED
Vulnerability Rating Taxonomy (VRT):
- Server Security Misconfiguration > Missing Security Headers > Content-Security-Policy
Severity:
- P3 (Moderate severity due to potential for XSS and other injection attacks)
Summary:
The domain REDACTED lacks a Content-Security-Policy (CSP) header. A properly implemented CSP can mitigate several types of attacks, including Cross-Site Scripting (XSS), by specifying trusted sources for content. Without this header, the site is susceptible to injection attacks, such as XSS, increasing security risk.
Steps to Reproduce:
- Visit the site
REDACTED. - Open browser developer tools or use an online tool like SecurityHeaders.io.
- Check for the presence of the Content-Security-Policy header.
- Observe that the CSP header is missing.
Expected Result:
The site should have a CSP header defining trusted sources for scripts, styles, and other resources, reducing the likelihood of script injection attacks.
Actual Result:
The Content-Security-Policy header is missing, increasing the risk of XSS and other injection attacks.
Recommendation:
-
Implement a Content-Security-Policy header to restrict the sources from which scripts, styles, and other resources can be loaded.
Example CSP configuration:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; -
Test and adjust the CSP policy to ensure legitimate functionality while minimizing risks.
Impact:
The lack of a CSP header leaves the website more vulnerable to XSS and other script injection attacks, which can compromise user data and site integrity.