Skip to content

[ZAP Security] CSP: style-src unsafe-inline #419

Description

@github-actions

CSP: style-src unsafe-inline

Risk Level: Medium

Confidence: 3

Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Solution

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

Reference

https://www.w3.org/TR/CSP/

https://caniuse.com/#search=content+security+policy

https://content-security-policy.com/

https://github.com/HtmlUnit/htmlunit-csp

https://web.dev/articles/csp#resource-options

CWE ID: 693

WASC ID: 15

Example Instance

URL: https://localhost:44340

Method: GET

Parameter: Content-Security-Policy

Evidence:

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'

Other Info: style-src includes unsafe-inline.


This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2025-12-04
Plugin ID: 10055

Scan Metadata

  • Branch: main
  • Template Source: Local Repository Code
  • Clean Template Version: 7.0.1
  • Umbraco CMS Version: 17.0.0

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions