Content-Security-Policy

Checks for the presence of the 'Content-Security-Policy' header, which helps prevent certain types of attacks.

This test checks for the existence of the Content-Security-Policy Header (CSP) and looks for errors in the policy.

A CSP is an extra layer of security that a website can use to protect its users from Cross Site Scripting and Data Injection attacks. It works by telling the browser which domains should be trusted as valid sources for content. This way, if an attacker manages to inject malicious scripts or images into the website, they won't be run or displayed.

Cross Site Scripting Attack (XSS)

A XSS attach can happen if an attacker is able to post content to a website that does not get sanitized and is then displayed to a user. If this happens, malicious JavaScript code could be loaded. This could be used to steal information from the user, track them, or disturb them in other ways.

Data Injection Attacks

A data injection attack is similar to an XSS attack, except instead of code being run, it displays images or other content. The purpose could be to track users, make the website unusable, or trick users into performing unwanted actions.

Protection

A good CSP can protect users from these sorts of attacks by preventing content from being loaded from untrusted sources. For example, the CSP policy could declare that inline javascript is not allowed. This would eliminate many types of XSS attacks. The CSP could also declare that the website is the only valid source for images, which would prevent some types of data injection attacks.

In addition to testing for syntax errors, this test will also look for the usage of unsafe values in your CSP policy. For example, the unsafe-inline value allows all inline scripts to run, which is counterproductive to the intent of a CSP policy, as it allow XSS attacks. If inline scripts are necessary for the website to function, it would be better to use a nonce or hash value to approve specific scripts on a case by case basis.

For more information about the possible values for this header, please read our documentation for the Content-Security-Policy Header.

For more information on CSP, please read the documentation on MDN Web Docs.