Control: Site headers must contain Content-Security-Policy

Description

The Content Security Policy (CSP) response header includes a comprehensive set of directives that help prevent client-side attacks, such as Cross-Site Scripting and Clickjacking, by restricting the type of content the browser is allowed to include or execute.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.security_headers_content_security_policy

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.security_headers_content_security_policy --share

Steampipe Tables

net_http_request

Params

Args	Name	Default	Description	Variable
$1	website_urls	`["https://github.com","https://microsoft.com"]`	Website URLs.	website_urls

SQL

with available_headers as (
  select
    url,
    array_agg(header.key)
  from
    net_http_request,
    jsonb_each(response_headers) as header
  where
    url in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
  group by
    url
)
select
  url as resource,
  case
    when array [ 'Content-Security-Policy' ] < @ array_agg then 'ok'
    else 'alarm'
  end as status,
  case
    when array [ 'Content-Security-Policy' ] < @ array_agg then url || ' contains required headers ''Content-Security-Policy''.'
    else url || ' missing required headers ''Content-Security-Policy''.'
  end as reason
from
  available_headers;