Audit required: Found vulnerable content security policy header in HTTP response RS-A1011

The CONTENT_SECURITY_POLICY header is used to restrict the sources from which a web page can load certain types of content. Setting the header to accept any source by using default-src '*' or script-src '*' creates major vulnerabilities in the application, as it allows the execution of scripts from any source, including malicious ones. This issue can lead to cross-site scripting (XSS) attacks, which could result in sensitive user data being stolen or manipulated.

To fix this issue, it is recommended to use a more restrictive policy, limiting the sources from which scripts can be loaded. For example, use default-src 'self' to only allow scripts to be loaded from the same origin, or script-src 'self' to only allow scripts from the same origin to be executed. Additionally, it is recommended to remove the wildcard character (*) from the policy, as it provides too much leeway for attackers to exploit the system.

Bad practice

use actix_web::{HttpResponse, HttpResponseBuilder};

fn handle_request() -> HttpResponseBuilder {
    HttpResponse::ok().append_header((CONTENT_SECURITY_POLICY, "default-src '*'; script-src '*'"))
}

Recommended

use actix_web::{HttpResponse, HttpResponseBuilder};

fn handle_request() -> HttpResponseBuilder {
    HttpResponse::ok().append_header((CONTENT_SECURITY_POLICY, "default-src 'self'; script-src 'self'"))
}

References

• OWASP Top 10:2017 > A7 - Cross Site Scripting
• OWASP: Content Security Policy
• OWASP: Cross-site Scripting (XSS)
• MDN: Content-Security-Policy