Loading controls...
Control: Site headers must contain Content-Security-Policy
Description
The Content Security Policy (CSP) response header includes a comprehensive set of directives that help prevent client-side attacks, such as Cross-Site Scripting and Clickjacking, by restricting the type of content the browser is allowed to include or execute.
Usage
Run the control in your terminal:
steampipe check net_insights.control.security_headers_content_security_policy
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share net_insights.control.security_headers_content_security_policy
Plugins & Tables
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | website_urls |
| Website URLs. |
SQL
with available_headers as ( select url, array_agg(header.key) from net_http_request, jsonb_each(response_headers) as header where url in ( select jsonb_array_elements_text(to_jsonb($1 :: text [ ])) ) group by url)select url as resource, case when array [ 'Content-Security-Policy' ] < @ array_agg then 'ok' else 'alarm' end as status, case when array [ 'Content-Security-Policy' ] < @ array_agg then url || ' contains required headers ''Content-Security-Policy''.' else url || ' missing required headers ''Content-Security-Policy''.' end as reasonfrom available_headers;