ASVS
ASVS copied to clipboard
OWASP
14.4.3 Should Content Security Policy be L1 or should it be higher?
CSP is not super easy to implement.
Do we definitely believe it should be Level 1? Current requirement:
[MODIFIED] Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, CSS, JSON, and JavaScript injection vulnerabilities.
I support level 1. It's not some nuclear science. It's a "smell of security", if you don't have even CSP set, then usually it correlates well with general quality.
I'm with @elarlang here, it is a good indicator of the basics and not hard to implement and for me, sets the tone for a lot moving forward.
Additional point of view - if you think, that something in CSP declaration is too advanced for level one, we can split the requirement with clear goals. Like level 1 should take care that all the external sources are allow-listed with *-src or nonced, etc and level 2+ is for SRI checks (but it's covered with 14.2.3).
I guess the question is, how easy is it to backport for older applications? Is there a risk that by making this level1 we are stopping this level from being accessible to older applications that rely on functionality which would normally be blocked using CSP?
14.4.3 does not really specify how well the CSP should protect against XSS. If you want a CSP that actually blocks all XSS, that could be next to impossible for legacy applications. If you slap a CSP: script-src=unsafe-inline on your legacy application, you have a CSP but have only minimal protection against XSS. But even that provides some protection, is easy to implement, and makes people think about which resources need to be permitted. I think requiring a CSP that is not necessarily watertight is OK for level 1, and achievable.
