Content Security Policy (CSP) fetch directives tell the browser which origins are allowed to serve resources to a page, reducing the risk of cross-site scripting (XSS) attacks.

Why is this an issue?

When CSP fetch directives are not configured, or when the default-src directive is missing, the browser applies no additional origin restrictions on resource loading beyond the same-origin policy. A page with an XSS vulnerability can therefore be exploited to load and execute scripts from arbitrary external origins. This rule raises an issue when content security policy fetch directives are disabled or misconfigured.

What is the potential impact?

Without CSP fetch directives, an attacker who finds an injection point can load and execute malicious scripts from any origin. This can lead to session hijacking, credential theft, defacement, or further compromise of the user’s browser.

How to fix it

Code examples

Noncompliant code example

const express = require('express');
const helmet = require('helmet');

let app = express();
app.use(
    helmet({
      contentSecurityPolicy: false, // Noncompliant
    })
);

Compliant solution

const express = require('express');
const helmet = require('helmet');

let app = express();
app.use(helmet.contentSecurityPolicy());

Resources

Documentation

• w3.org - Content Security Policy Level 3
• developer.mozilla.org - Content Security Policy (CSP)
• Helmet - Content Security Policy middleware

Standards

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• CWE - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')