Checks for the presence of the 'Content-Security-Policy' header, which helps prevent certain types of attacks.
This test checks for the existence of the Content-Security-Policy Header (CSP) and looks for errors in the policy.
A CSP is an extra layer of security that a website can use to protect its users from Cross Site Scripting and Data Injection attacks. It works by telling the browser which domains should be trusted as valid sources for content. This way, if an attacker manages to inject malicious scripts or images into the website, they won't be run or displayed.Cross Site Scripting Attack (XSS)
A data injection attack is similar to an XSS attack, except instead of code being run, it displays images or other content. The purpose could be to track users, make the website unusable, or trick users into performing unwanted actions.Protection
In addition to testing for syntax errors, this test will also look for the usage of unsafe values in your CSP policy. For example, the
unsafe-inline value allows all inline scripts to run, which is counterproductive to the intent of a CSP policy, as it allow XSS attacks. If inline scripts are necessary for the website to function, it would be better to use a nonce or hash value to approve specific scripts on a case by case basis.
For more information about the possible values for this header, please read our documentation for the Content-Security-Policy Header. To quickly create your customized CSP header, use our CSP Wizard and fill in the details to get a copy-and-paste solution. To learn more about security headers in general, you can read our article on Security Headers.
Ready to validate your website for this test and 100+ others?