CSP: Wildcard Directive Issue
862 views
Skip to first unread message
Philip Louis Calub
Jun 21, 2022, 11:58:51 PM6/21/22
to OWASP ZAP User Group
Hello Good Day!.
I'm using the Docker Baseline Scan to scan my website.
I've added a add_header Content-Security-Policy "default-src 'self' "; in my nginx conf.
I'm using the Docker Baseline Scan to scan my website.
I've added a add_header Content-Security-Policy "default-src 'self' "; in my nginx conf.
I'm still getting the CSP: Wildcard Directive.
Any ideas on how to solve the CSP: Wildcard Directive?
Any ideas on how to solve the CSP: Wildcard Directive?
Simon Bennetts
Jun 22, 2022, 3:34:57 AM6/22/22
to OWASP ZAP User Group
Can you run ZAP locally and give us an example of the alert with all of the alert information, including the response header?
Redacting any sensitive information of course.
The full alert details should give you much more useful information.
Cheers,
Simon
kingthorin+owaspzap
Jun 22, 2022, 11:38:57 AM6/22/22
to OWASP ZAP User Group
You're using a report that does not include the "Other Info" field. There are some CSP directive that DO NOT fall back to default-src therefore if you don't define them that's the same as using a wildcard directive.
Reply all
Reply to author
Forward
0 new messages