turbot/net_insights
GitHub
Loading controls...

Control: Site headers must contain Content-Security-Policy

Description

The Content Security Policy (CSP) response header includes a comprehensive set of directives that help prevent client-side attacks, such as Cross-Site Scripting and Clickjacking, by restricting the type of content the browser is allowed to include or execute.

Usage

Run the control in your terminal:

steampipe check net_insights.control.security_headers_content_security_policy

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share net_insights.control.security_headers_content_security_policy

Plugins & Tables

Params

ArgsNameDefaultDescriptionVariable
$1website_urls
["https://github.com","https://microsoft.com"]
Website URLs.

SQL

with available_headers as (
select
url,
array_agg(header.key)
from
net_http_request,
jsonb_each(response_headers) as header
where
url in (
select
jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
)
group by
url
)
select
url as resource,
case
when array [ 'Content-Security-Policy' ] < @ array_agg then 'ok'
else 'alarm'
end as status,
case
when array [ 'Content-Security-Policy' ] < @ array_agg then url || ' contains required headers ''Content-Security-Policy''.'
else url || ' missing required headers ''Content-Security-Policy''.'
end as reason
from
available_headers;