-
Notifications
You must be signed in to change notification settings - Fork 52
TWA 0215
"Content-Security-Policy 'default-src' is '${csp_default_src}'"
In the message output the variable ${csp_default_src} is replaced by the value of field default-src in the Content-Security-Policy entry received from the web server.
The Content-Security-Policy is sent from the web server to the web browser in the HTTP header. A stronger XSS (cross-site scripting) by the web browser could be activated with the Content-Security-Policy if it is supported by the web browser.
The Content-Security-Policy is a field in the header of the HTTP response. The value is a string with internal structure, a list of one or more directives. The default-src directive defines the allowed source of resources (e.g. images, scripts) to include into the current web page.
The value 'none' prevents loading resources from any source. This is the strongest setting for XSS protection by the web browser.
Set none as default-src for the Content-Security-Policy in the web server configuration.
For nginx: include line add_header Content-Security-Policy "default-src 'none';" always; in the server section of the configuration file.
For apache: include line Header set Content-Security-Policy "default-src 'none';" in the configuration file.
Only use another default-src value, if the web application needs the setting. The setting 'self' should be considered if the web application works not with setting 'none'.