Content Security Policy Configuration

Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Vulnerability found in /

CSP is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

CSP is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

CSP is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

CSP is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

CSP is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

CSP is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

CSP is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Solutions

Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control what resources the user agent is allowed to load for that page.

References

• Mozilla: Content Security Policy (CSP)
• OWASP: Content Security Policy Cheat Sheet
• OWASP: How to do Content Security Policy (PDF)

---

HTTP Secure Headers

Description

HTTP security headers tell the browser how to behave when handling the website's content.

Vulnerability found in /

X-Content-Type-Options is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

Strict-Transport-Security is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

X-Content-Type-Options is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

Strict-Transport-Security is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

X-Content-Type-Options is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

Strict-Transport-Security is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

X-Content-Type-Options is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

Strict-Transport-Security is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

X-Content-Type-Options is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

Strict-Transport-Security is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

X-Content-Type-Options is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

Strict-Transport-Security is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

X-Content-Type-Options is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Vulnerability found in /

Strict-Transport-Security is not set

GET / HTTP/1.1
Host: mcuxpresso.nxp.com

curl "https://mcuxpresso.nxp.com/"

Solutions

Use the recommendations for hardening your HTTP Security Headers.

References

• Netsparker: HTTP Security Headers: An Easy Way to Harden Your Web Applications
• KeyCDN: Hardening Your HTTP Security Headers
• OWASP: HTTP SECURITY HEADERS (Protection For Browsers) (PDF)

---