CSP: script-src unsafe-hashes

CSP is a security mechanism that helps mitigate various types of attacks by defining which resources are allowed to be loaded by the browser. The ‘CSP: script-src unsafe-hashes' vulnerability arises due to the use of 'unsafe-hashes' in the 'script-src' directive, which poses a potential risk, as it allows inline scripts that may be susceptible to various attacks.

CSP is a security mechanism that helps mitigate various types of attacks by defining which resources (e.g., scripts, stylesheets) are allowed to be loaded by the browser. The ‘CSP: script-src unsafe-hashes' vulnerability arises due to the use of 'unsafe-hashes' in the 'script-src' directive, which poses a potential risk. In this step-by-step manual, we will guide you through the process of fixing this vulnerability, ensuring the security of your web application.

Step 1: Understand the 'script-src' Directive and 'unsafe-hashes':

The 'script-src' directive is part of the CSP that controls the loading and execution of scripts on your web application. The 'unsafe-hashes' keyword is used within 'script-src' to allow specific inline scripts based on their cryptographic hashes. However, using 'unsafe-hashes' weakens the CSP as it allows inline scripts that may be susceptible to various attacks.

Step 2: Identify and Review Affected Pages:

Before proceeding with the fix, identify the web pages where the 'CSP: script-src unsafe-hashes' vulnerability is reported. It is crucial to understand the context and impact of this vulnerability on your application.

Step 3: Update the Content Security Policy (CSP) Header:

To fix the vulnerability, you need to modify the 'script-src' directive in the CSP header. The CSP header is typically set in the server configuration or in the HTTP response headers. Locate the appropriate file or configuration settings where the CSP header is defined.

Step 4: Remove 'unsafe-hashes' and Use 'nonce' or 'strict-dynamic':

Instead of relying on 'unsafe-hashes', it is recommended to use other CSP mechanisms like 'nonce' or 'strict-dynamic'. These mechanisms provide a more secure approach to allowing inline scripts. The 'nonce' method involves generating a unique cryptographic nonce value for each inline script, while 'strict-dynamic' permits scripts from trusted sources.

Example using 'nonce':

<!-- Server-side: Generate a random nonce --> <?php $nonce = bin2hex(random_bytes(16)); header("Content-Security-Policy: script-src 'nonce-$nonce' 'strict-dynamic';"); ?> <!-- HTML: Apply the nonce to inline script --> <script nonce="<?php echo $nonce; ?>"> // Your inline script here </script>

Example using 'strict-dynamic':

<!-- Server-side: Set CSP header with strict-dynamic --> header("Content-Security-Policy: script-src 'strict-dynamic';"); <!-- HTML: Allow specific trusted scripts --> <script src="https://example.com/trusted-script.js"></script>

Step 5: Test and Validate the Changes:

After updating the CSP header, thoroughly test your web application to ensure that the changes haven't introduced any unexpected issues. Test various functionalities, including loading scripts and executing inline scripts, to ensure they continue to work as expected.

Step 6: Monitor and Fine-Tune Your Content Security Policy:

Once you have fixed the 'CSP: script-src unsafe-hashes' vulnerability, it is essential to continuously monitor and improve your CSP. Regularly review and update the policy as necessary to maintain the security and functionality of your web application.

Conclusion:

By following this step-by-step guide, you should be able to effectively fix the 'CSP: script-src unsafe-hashes' vulnerability in your web application. Remember to understand the impact of the vulnerability, modify the CSP header, and use secure alternatives like 'nonce' or 'strict-dynamic'. Regularly test and monitor your application's security to ensure a robust defense against


Achieve SOC2 Compliance

We make your startup SOC2 compliant by implementing and managing the required security controls for you.

Get Started