CSP: Wildcard Directive or A private IP always come back even when necessary things are configured
10 views
Skip to first unread message
Salam Elias
Dec 9, 2025, 11:26:49 AM (2 days ago) Dec 9
to ZAP User Group
I have header on my IIS web site but still getting
Content-Security-Policy : default-src 'self' https://mywebsite.fr https://mywebsite.free.fr/Blogengine; img-src 'self' https://mywebsite.fr; object-src 'self; script-src 'self'
Content-Security-Policy : default-src 'self' https://mywebsite.fr https://mywebsite.free.fr/Blogengine; img-src 'self' https://mywebsite.fr; object-src 'self; script-src 'self'
When I rerun zap, I get
CSP: Wildcard Directive
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks.
Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that
page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks.
Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that
page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Also, I have an alert which is very strange indicting that there is a leak of private IP which does not exist on my server
A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body.
This information might be helpful for further attacks targeting internal systems.
Remove the private IP address from the HTTP response body.
For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.
This information might be helpful for further attacks targeting internal systems.
Remove the private IP address from the HTTP response body.
For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.
When I browse my website and trigger dev tools > network > headers I see only the public address
Reply all
Reply to author
Forward
0 new messages