CME-905

Content Security Policy (CSP) Headers

Harden Application Medium Confidence

Description

Browser-enforced HTTP header policy that restricts script sources, prevents inline execution, and blocks mixed content. Primary defense against stored/reflected XSS.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H XSS payloads blocked by browser CSP enforcement; script sources restricted

CWE Relationships

CWE-79

Verification

Check for CSP header in HTTP responses

$ curl -sI http://target/ | grep -i content-security-policy
# Expected: Content-Security-Policy:
Platform: any
← CME-904: WAF (Web Application Firewall) CME-906: Rate Limiting / Connection Throttling →