← Back to Findings

info Content Security Policy (CSP) Header Not Set

Details

Severityinfo
StatusOpen
Enginezap
Target URLhttps://easm.liifecore.com/cves?severity=LOW
First Seen2026-07-14 03:00:20 UTC
Last Seen2026-07-14 03:00:20 UTC
CWECWE-693

Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Raw Output

{
  "alert": "Content Security Policy (CSP) Header Not Set",
  "alertRef": "10038-1",
  "attack": "",
  "confidence": "High",
  "cweid": "693",
  "description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
  "evidence": "",
  "id": "87",
  "inputVector": "",
  "messageId": "180",
  "method": "GET",
  "name": "Content Security Policy (CSP) Header Not Set",
  "other": "",
  "param": "",
  "pluginId": "10038",
  "reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP\nhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html\nhttps://www.w3.org/TR/CSP/\nhttps://w3c.github.io/webappsec-csp/\nhttps://web.dev/articles/csp\nhttps://caniuse.com/#feat=contentsecuritypolicy\nhttps://content-security-policy.com/",
  "risk": "Medium",
  "solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.",
  "sourceMessageId": 180,
  "sourceid": "3",
  "tags": {
    "CWE-693": "https://cwe.mitre.org/data/definitions/693.html",
    "OWASP_2017_A06": "https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html",
    "OWASP_2021_A05": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
    "POLICY_PENTEST": "",
    "POLICY_QA_STD": "",
    "SYSTEMIC": "https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic"
  },
  "url": "https://easm.liifecore.com/cves?severity=LOW",
  "wascid": "15"
}

Update Status