# XSS Analyzer
|Category||Severity||Time To Fix|
|🛡️ Security||Major||5 minutes|
This analyzer checks whether your application sets an appropriate
Content-Security-Policy header to protect against XSS attacks.
If your application does not set this header (with at least a
script-src directive) or includes an
unsafe-inline source, this analyzer would result in a failure.
# How To Set The Content-Security-Policy Header
You can add the
Content-Security-Policy header in your web server configuration.
For Nginx, you may use the
add_header directive in your
add_header Content-Security-Policy "default-src 'self';";
For Apache, you may use the
Header directive in your
Header always set Content-Security-Policy "default-src 'self';"
Note that the header above is just an example. Make sure to read the content security policy documentation in the links below to understand what directives and sources would be valid for your application.
If you miss certain sources, it may mean that some of your JS scripts or CSS styles may not apply properly. Make sure to open the Developer Console in your browser to confirm there are no errors after your configuration is complete.
# Skip Condition
This analyzer is skipped for local environments (if the
skip_env_specific configuration option is set to true) or if your app is stateless (does not use the
- Introduction to the Content-Security-Policy Header (opens new window)
- Google's Guide to Content Security Policy (opens new window)
- OWASP Introduction to Content Security Policy (opens new window)
- OWASP Content Security Policy Cheatsheet (opens new window)
- Nginx Add Header Directive (opens new window)
- Apache Header Directive (opens new window)