Task #13208
Task #13202: Huawei Pentest Remidiation
HUAWEI - L4 - Misconfiguration "Content-Security-Policy" Header
| Status: | New - Begin Life Cycle | Start date: | September 06, 2022 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | September 16, 2022 | |
| Assignee: |  Rahmat Aina Nadia | % Done: | 0% | |
| Category: | PCI DSS - Pentest | Spent time: | - | |
| Target version: | - |
Description
Description:
The "Content-Security-Policy" (CSP) header is designed to modify the way browsers and WebViews render pages, and thus to protect from various Cross-Site Scripting. It is important to set the header value correctly, in a way that will not prevent proper operation of the web site. For example, if the header is set to prevent execution of inline JavaScript, the web site must not use inline JavaScript in its pages. However, in the context of WebViews or API endpoints, CSP is used for disabling the loading of any resources and also to disable framing.
LGMS Solution :
Configure the application server to send the "Content-Security-Policy" header.
The recommended CSP value for WebViews or API endpoints is default-src 'none'; frame-ancestors 'none'
The Content-Security-Policy should include a 'default-src' policy directive, which would serve as a fallback for other resource types when they don't have policies of their own.
Kindly refer to the references for more examples on common use cases.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Penril Plan :
Related to H1. (LGMS testing Not using https)
Need to check the code.
History
#1
Updated by Norhaidah Md Dasuki over 1 year ago
Aina, Please update on this task. tq