Vulnerabilities / Missing Content Security Policy header
The Content Security Policy (CSP) is an HTTP header through which site owners define a set of security rules that the browser must follow when rendering their site. The most common usage is to define a list of approved sources of content that the browser can load. This can be used to effectively mitigate Cross-Site Scripting (XSS) and Clickjacking attacks.
How to fix
You can define a Content Security Policy by setting a header in your application. The header can look like this:
Content-Security-Policy: frame-ancestors 'none'; default-src 'self', script-src '*://*.example.com:*'
In this example, the frame-ancestors directive set to ‘none’ indicates that the page cannot be placed inside a frame, not even by itself. The default-src defines the loading policy for all resources, in this case, they can be loaded from the current origin (protocol + domain + port). The example sets a more specific policy for scripts, through the script-src, restricting script loading to any subdomain of example.com.
The policy can be with different directives, and there are other less strict options for the directives above.