vulnerability

Content Security Policy Header - The Content-Security-Policy header does not include the 'require-sri-for' directive.

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
2	(AV:L/AC:M/Au:N/C:P/I:N/A:N)	Jan 1, 2016	Jul 16, 2019	Jul 16, 2019

Severity

CVSS

(AV:L/AC:M/Au:N/C:P/I:N/A:N)

Published

Jan 1, 2016

Added

Jul 16, 2019

Modified

Jul 16, 2019

Description

The 'require-sri-for script' directive hasn’t been declared in your Content-Security-Policy header either through the meta-tag or the header, so the browser's trust of the content received from another server can be exploited. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.

Solution

cspheaders-cspheaders-r04

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today