Audit required: Found vulnerable content security policy header in HTTP responseRS-A1011
The CONTENT_SECURITY_POLICY
header is used to restrict the sources from which a web page can load certain types of content. Setting the header to accept any source by using default-src '*'
or script-src '*'
creates major vulnerabilities in the application, as it allows the execution of scripts from any source, including malicious ones. This issue can lead to cross-site scripting (XSS) attacks, which could result in sensitive user data being stolen or manipulated.
To fix this issue, it is recommended to use a more restrictive policy, limiting the sources from which scripts can be loaded. For example, use default-src 'self'
to only allow scripts to be loaded from the same origin, or script-src 'self'
to only allow scripts from the same origin to be executed. Additionally, it is recommended to remove the wildcard character (*) from the policy, as it provides too much leeway for attackers to exploit the system.
Bad practice
use actix_web::{HttpResponse, HttpResponseBuilder};
fn handle_request() -> HttpResponseBuilder {
HttpResponse::ok().append_header((CONTENT_SECURITY_POLICY, "default-src '*'; script-src '*'"))
}
Recommended
use actix_web::{HttpResponse, HttpResponseBuilder};
fn handle_request() -> HttpResponseBuilder {
HttpResponse::ok().append_header((CONTENT_SECURITY_POLICY, "default-src 'self'; script-src 'self'"))
}