CSP: Malformed Policy (Non-ASCII)
- Risk:
Medium
- Type:
- Passive
- CWE:
- CWE-693
- Summary
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
- Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
- Other info
- A non-ASCII character was encountered while attempting to parse the policy, thus rendering it invalid (no further evaluation occurred). The following invalid characters were collected: ‘’
- References
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
Europol Dismantles SIM Farm Network Powering 49 Million Fake Accounts Worldwide
Google ads for fake Homebrew, LogMeIn sites push infostealers
New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs
Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT
American Airlines subsidiary Envoy confirms Oracle data theft attack
Microsoft lifts more safeguard holds blocking Windows 11 updates
Europol dismantles SIM box operation renting numbers for cybercrime
CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability
CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner