CSP: script-src unsafe-inline

Risk:
Medium

Type:
Passive

CWE:
CWE-693

Summary: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Solution: Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

Other info: script-src includes unsafe-inline.

References

https://www.w3.org/TR/CSP/

https://caniuse.com/#search=content+security+policy

https://content-security-policy.com/

https://github.com/HtmlUnit/htmlunit-csp

https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

Top Security News

Latest CVE List

Common Security Alerts

InformationalRetrieved from Cache
InformationalInformation Disclosure - Suspicious Comments
InformationalCross Site Scripting (Persistent) - Spider
MediumELMAH Information Leak
HighSQL Injection - PostgreSQL
HighExternal Redirect
InformationalASP.NET ViewState Disclosure
InformationalAuthentication Request Identified
HighNoSQL Injection - MongoDB (Time Based)
InformationalInformation Disclosure - Information in Browser localStorage

Top CWE List

Free online web security scanner

Don't show website scan report rating on the leaderboard