CSP-001 recommended general

Full CSP headers configured

CSP header present with key directives (default-src, script-src, frame-ancestors) - not overly permissive

Question to ask

"Could an attacker inject a script into your pages right now?"

Verification guide

Severity: Recommended

CSP headers provide defense-in-depth against XSS by restricting what resources the browser can load. Even with good input sanitization, CSP is a safety net.

Check automatically:

  1. Check for CSP middleware/libraries:
# Helmet (most common in Node.js)
grep -E "\"helmet\"" package.json 2>/dev/null

# CSP-specific packages
grep -E "\"content-security-policy\"|\"csp\"" package.json 2>/dev/null
  1. Check for CSP header configuration in code:
# Direct header setting
grep -rE "Content-Security-Policy|contentSecurityPolicy" src/ app/ lib/ --include="*.ts" --include="*.js" 2>/dev/null

# Helmet CSP config
grep -rE "helmet\.contentSecurityPolicy|contentSecurityPolicy\(" src/ app/ --include="*.ts" --include="*.js" 2>/dev/null

# Next.js CSP in headers
grep -rE "Content-Security-Policy" next.config.* 2>/dev/null
  1. Check for CSP in infrastructure configs:
# nginx
grep -rE "Content-Security-Policy|add_header.*CSP" nginx/ *.conf 2>/dev/null

# Cloudflare headers (transform rules)
grep -rE "Content-Security-Policy" cloudflare/ wrangler.toml 2>/dev/null

# Vercel/Netlify headers
grep -rE "Content-Security-Policy" vercel.json netlify.toml _headers 2>/dev/null
  1. Check actual response headers (if site is live):
curl -sI https://example.com | grep -i "content-security-policy"
  1. Check for key directives (once CSP is found):
Must-have directives to look for in CSP value:
- default-src (fallback for all resource types)
- script-src (JavaScript sources)
- style-src (CSS sources)
- frame-ancestors (clickjacking protection, replaces X-Frame-Options)
- upgrade-insecure-requests (force HTTPS for resources)

Ask user:

  • "Where is CSP configured? (application code, nginx, Cloudflare, Vercel/Netlify headers)"
  • "Is this a SPA, SSR, or static site? (affects CSP complexity)"
  • "Do you use any third-party scripts (analytics, chat widgets, etc.)?"

Cross-reference with:

  • API-005 (XSS prevention - CSP is defense in depth)
  • SEC-001 (Cloudflare - can set CSP headers at edge)
  • CSP-002 (report-only mode)

Pass criteria:

  • CSP header present in responses
  • Policy includes key directives: default-src, script-src, frame-ancestors
  • Not overly permissive (default-src * or unsafe-inline everywhere)

Fail criteria:

  • No CSP header configured anywhere
  • CSP is default-src * (provides no protection)
  • Missing frame-ancestors (clickjacking vulnerability)

Evidence to capture:

  • Where CSP is configured (middleware, nginx, edge)
  • Full CSP policy value
  • Which key directives are present/missing
  • Any overly permissive directives noted

Section

32. Content Security Policy

API & Security

← Previous

API-006

API gateway / proxy configuration

 Next →

CSP-002

Report-only mode for testing