App Control: PCI Vulnerability Scan of App Control Fails Due To Missing Content Security Policy HTTP Header

App Control: PCI Vulnerability Scan of App Control Fails Due To Missing Content Security Policy HTTP Header

Environment

  • App Control Server: All Versions

Symptoms

PCI vulnerability scan of App Control Server fails due to missing Content Security Policy HTTP header

Cause

App Control does not utilize a Content Security Policy, as this would prevent by default a lot of the behavior in the App Control web application.

Resolution

Work with third party vulnerability scan vendor to configure scanner to ignore this missing Content Security Policy.

Additional Notes

  • Misconfigured CSP is a missing best practice not a vulnerability, and PCI scans can be configured to ignore such issues.
  • CSP has a lot of shortcomings and can have significant negative impacts on a product especially if it’s not a modern client side application.
  • The main benefit for CSP is that it prevents XSS and inclusion from untrusted control sphere, but first one would need to have those vulnerabilities to begin with. If the Vulnerability Scan found a XSS, that would be the real vulnerability - missing CSP is just a missing mitigation for it.
  • To pass a PCI scan all CVSS 4 and above issues must be resolved. If the missing CSP issue is below the 4.0 threshold, then it is considered a low severity issue.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-21-2021
Views:
88
Contributors