Missing "Content-Security-Policy" Security Header (Functional Testing)
Description
The API does not set the "Content-Security-Policy" header in its responses. This HTTP header instructs browsers to only load additional content (scripts, images, etc.) within a given page from a list of approved origins. This helps prevent Cross-Site Scripting (XSS) attacks and other code injection attacks, by blocking malicious content from untrusted origins. In the context of an API, there is no additional content to load when a browser retrieves an API response. Hence, the "Content-Security-Policy" header can be used to further prevent XSS attacks performed on the API's responses.
Remediation
Configure your server or application to set the 'Content-Security-Policy' header in all HTTP responses. For example, you might set it to "default-src 'none';" if your API returns no active content, thereby preventing any external content from being loaded. If you do serve scripts or images, whitelist only the specific sources you control. Regularly test your CSP directives to ensure they align with any legitimate external resources. Additionally, consider employing a Web Application Firewall (WAF) or intrusion detection system to monitor for XSS injection attempts. Consistently review and update security headers as part of your overall patch management and hardening processes.
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSPhttps://owasp.org/www-project-secure-headers/#content-security-policyhttps://owasp.org/www-community/attacks/xss/Severity
LOWOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
2.6
2.6