In the Application Security section of your scorecard, if issues are detected regarding the absence of a Content Security Policy (CSP), they will appear as High Severity issues. When SecurityScorecard reports on these findings, we are detecting the finding against the "Final URL" in the redirect chain.
Having a CSP in place has been shown to be an effective step in preventing Cross-Site Scripting Attacks.
This article provides insight into methods for independently validating this finding.
Procedure
-
Confirm the domain URL (Final URL) that you would like to validate.
- Navigate to CSP Validator OR SecurityHeaders in any browser. This validator will check against response headers and meta tags.
- Paste the Final URL from Step 1 into the field and click Scan!
Result
The output from Step 3 above will be either "No CSP Policy Detected", or the CSP Header information will be displayed (ie: "default-src'self''unsafe-eval'
How can this issue be resolved?
-
I have fixed this
- Based on the above procedure, if a valid CSP header is in place, submit under this category.
-
I have a compensating control
- If your organization has a Web Application Firewall (WAF) or Intrusion Detection System (IDS), submit evidence along with your signature list for consideration in issue approval.
-
This is not my IP or domain
- If the asset was never owned by your organization, submit under this category
-
I cannot reproduce this issue and I think it’s incorrect
- If you have not done anything to fix the issue, but after validating with the above procedure, feel that the issue doesn't exist, submit under this category.
- If we are observing the finding on an initial URL that redirects to a final site with a CSP header present.