csp-auditor icon indicating copy to clipboard operation
csp-auditor copied to clipboard
verified publisher icon GoSecure

Doesn't report on a CSP policy not being implemented

Open Simon-Davies opened this issue 6 years ago • 1 comments

Is it possible to add an issue into the findings when a CSP policy is not implemented. I could modify the extension myself but I think it should be added to the approved version in the BApp Store.

Simon-Davies avatar Mar 26 '19 10:03 Simon-Davies

Why I was hesitant

I was not a big fan to see the missing header as a weakness. It should be seen as defense in depth. It has the potential to pollute the burp scanning results (not totally since the issues are group). But it makes sense if the CSP is applied in some locations of the website.. It should be enabled everywhere.

2021 update

Burp built-in rules now advertise missing CSP header. burp_scanner

h3xstream avatar Oct 27 '21 19:10 h3xstream