In the Application Security section of your scorecard, if there are issues detected regarding the lack of presence of a Content Security Policy (CSP), these will appear as High Severity issues. When SecurityScorecard reports on these findings, we are detecting the finding against the "Final URL" in the redirect chain.
Having a CSP in place has been shown to be a good step to prevent Cross Site Scripting Attacks.
The purpose of this article is to provide some insight on methods of independently validating this finding.
- Confirm the domain URL that you would like to validate.
- Navigate to https://cspvalidator.org/ in any browser. This validator will check against response headers and meta tags.
- Paste the URL from Step 1 into the field and click "Go!"
The output from Step 3 above will be either "No CSP Policy Detected", or the CSP Header information will be displayed (ie: "default-src'self''unsafe-eval''unsafe-inline' *").
How can this issue be resolved?
- I have fixed this
- Based on the above procedure, if a valid CSP header is in place, submit under this category.
- I have a compensating control
- If your organization possess a Web Application Firewall (WAF) or Intrusion Detection System (IDS), submit evidence with your signatures list for consideration on issue approval.
- This is not my IP or domain
- If the asset was never owned by your organization, submit under this category
- I cannot reproduce this issue and I think it’s incorrect
- if you have not done anything to fix the issue, but after validating with the above procedure, feel that the issue doesn't exist, submit under this category.
- if we are observing the finding on an initial URL that redirects to a final site with a CSP header present.