Open
Description
See for details:
- https://content-security-policy.com/
- http://cspisawesome.com/
- https://httpsecurityreport.com/best_practice.html#contentSecurityPolicy
- https://scotthelme.co.uk/content-security-policy-an-introduction/
- https://60devs.com/using-content-security-policy.html
- http://docs.spring.io/spring-security/site/docs/4.2.x/reference/htmlsingle/#headers-csp
- https://github.com/shapesecurity/salvation and http://cspvalidator.org/
- https://csp-evaluator.withgoogle.com
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://rapidsec.com/analyze
- https://cspscanner.com
- https://cspscanner.com/csp-bypasses
- https://medium.com/@bhaveshthakur2015/content-security-policy-csp-bypass-techniques-e3fa475bfe5d
- https://devdocs.io/http-csp/
- https://www.hardenize.com
- Mixed content not blocked: This CSP policy doesn't use any of the directives designed to handle mixed content. Consider using the 'block-all-mixed-content' and 'upgrade-insecure-requests' directives as appropriate to ensure that no mixed content is allowed.
- Form targets not restricted: The 'form-action' directive is not explicitly set. Because this directive doesn't fall back to default sources, this means that all targets are allowed.