ASVS Requirement 3.4.3

• Level: 2
• Chapter: V3 Web Frontend Security
• Section: V3.4 Browser Security Mechanism Headers
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that HTTP responses include a Content-Security-Policy response header field which defines directives to ensure the browser only loads and executes trusted content or resources, in order to limit execution of malicious JavaScript. As a minimum, a global policy must be used which includes the directives object-src 'none' and base-uri 'none' and defines either an allowlist or uses nonces or hashes. For an L3 application, a per-response policy with nonces or hashes must be defined.