CSP Headers not being sent/received by ZAP Browser

[kodeeo]

I am sure my website is sending out CSP headers, but when I analyze it trough ZAP, it always complains the CSP header is not set. 

Upon checking from the ZAP browser, the header does not in fact get sent. 

But if I use my normal browser (mozilla firefox, the very same installation ZAP uses) the header does get sent. 

What is happening and why? My application does not have any user-agent specific rule about sending CSP

[kingthorin+zap]

You probably have a Replacer rule or script that's removing it.

[Michele Romanin]

Is something like this enabled by default?

I am pretty sure I am running ZAP with default settings, I've not made any script or replace rule

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/dAPcdDLPo4I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/a2818919-f97d-4abf-8b56-908d8a0a0d0dn%40googlegroups.com.

[kingthorin+zap]

Nope

Are you using HUD?

[Michele Romanin]

I have disabled it, and also I have disabled the flag in the settings to strip CSP for the HUD

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/83917668-32b5-4fd4-83cb-c80884dc3823n%40googlegroups.com.

[kingthorin+zap]

I can't think of anything else, but it's hard to debug when not in front of it.

[Simon Bennetts]

You should be able to confirm if ZAP is reporting the right headers by double checking with another tool like curl.

Cheers,

Simon