Control: Site headers must contain Content-Security-Policy
Description
The Content Security Policy (CSP) response header includes a comprehensive set of directives that help prevent client-side attacks, such as Cross-Site Scripting and Clickjacking, by restricting the type of content the browser is allowed to include or execute.
Usage
Run the control in your terminal:
powerpipe control run net_insights.control.security_headers_content_security_policySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run net_insights.control.security_headers_content_security_policy --shareSteampipe Tables
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | website_urls | | Website URLs. |
SQL
with available_headers as ( select url, array_agg(header.key) from net_http_request, jsonb_each(response_headers) as header where url in (select jsonb_array_elements_text(to_jsonb($1::text[]))) group by url)select url as resource, case when array['Content-Security-Policy'] <@ array_agg then 'ok' else 'alarm' end as status, case when array['Content-Security-Policy'] <@ array_agg then url || ' contains required headers ''Content-Security-Policy''.' else url || ' missing required headers ''Content-Security-Policy''.' end as reasonfrom available_headers;