CspHeaderSet [check] v0.1.0

Label

Content-Security-Policy header restricts script and object sources

Assertion

Every HTML response sets a Content-Security-Policy header that defines an allow-list of script, object, and frame sources. The policy disallows inline scripts (or uses nonces/hashes), disallows eval, sets object-src 'none', and reports violations to a logging endpoint.

Evidence

• Response headers contain Content-Security-Policy (not Content-Security-Policy-Report-Only once enforcement is desired).
• No 'unsafe-inline' for script-src; inline scripts use a per-request nonce or sha256 hash.
• object-src 'none' — Flash and similar plugin embedding is forbidden.
• base-uri 'self' — prevents <base href=…> injection from rewriting all relative URLs.
• frame-ancestors 'self' (or specific allow-list) — clickjacking defence; replaces X-Frame-Options.
• Violations reported to a server-side endpoint and reviewed on a schedule.

Failure Mode

An XSS that slipped past output encoding executes anyway because the browser had no policy to reject the injected <script src=//attacker/>.

CspHeaderSet [check] v0.1.0

Label

Content-Security-Policy header restricts script and object sources

Assertion

Every HTML response sets a Content-Security-Policy header that defines an allow-list of script, object, and frame sources. The policy disallows inline scripts (or uses nonces/hashes), disallows eval, sets object-src 'none', and reports violations to a logging endpoint.

Evidence

• Response headers contain Content-Security-Policy (not Content-Security-Policy-Report-Only once enforcement is desired).
• No 'unsafe-inline' for script-src; inline scripts use a per-request nonce or sha256 hash.
• object-src 'none' — Flash and similar plugin embedding is forbidden.
• base-uri 'self' — prevents <base href=…> injection from rewriting all relative URLs.
• frame-ancestors 'self' (or specific allow-list) — clickjacking defence; replaces X-Frame-Options.
• Violations reported to a server-side endpoint and reviewed on a schedule.

Failure Mode

An XSS that slipped past output encoding executes anyway because the browser had no policy to reject the injected <script src=//attacker/>.

Rationale

CSP is a defence-in-depth control against XSS: even when an injection sneaks through output encoding, the browser refuses to execute scripts from disallowed sources. A modern starting policy: default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; script-src 'self' 'nonce-…'; report-to csp-endpoint.

Label

Content-Security-Policy header restricts script and object sources

Assertion

Every HTML response sets a Content-Security-Policy header that defines an allow-list of script, object, and frame sources. The policy disallows inline scripts (or uses nonces/hashes), disallows eval, sets object-src 'none', and reports violations to a logging endpoint.

Evidence

• Response headers contain Content-Security-Policy (not Content-Security-Policy-Report-Only once enforcement is desired).
• No 'unsafe-inline' for script-src; inline scripts use a per-request nonce or sha256 hash.
• object-src 'none' — Flash and similar plugin embedding is forbidden.
• base-uri 'self' — prevents <base href=…> injection from rewriting all relative URLs.
• frame-ancestors 'self' (or specific allow-list) — clickjacking defence; replaces X-Frame-Options.
• Violations reported to a server-side endpoint and reviewed on a schedule.

Failure Mode

An XSS that slipped past output encoding executes anyway because the browser had no policy to reject the injected <script src=//attacker/>.