App Control: PCI Vulnerability Scan of App Control Fails Due To Missing Content Security Policy HTTP Header
App Control Server: All Versions
PCI vulnerability scan of App Control Server fails due to missing Content Security Policy HTTP header
App Control does not utilize a Content Security Policy, as this would prevent by default a lot of the behavior in the App Control web application.
Work with third party vulnerability scan vendor to configure scanner to ignore this missing Content Security Policy.
Misconfigured CSP is a missing best practice not a vulnerability, and PCI scans can be configured to ignore such issues.
CSP has a lot of shortcomings and can have significant negative impacts on a product especially if it’s not a modern client side application.
The main benefit for CSP is that it prevents XSS and inclusion from untrusted control sphere, but first one would need to have those vulnerabilities to begin with. If the Vulnerability Scan found a XSS, that would be the real vulnerability - missing CSP is just a missing mitigation for it.
To pass a PCI scan all CVSS 4 and above issues must be resolved. If the missing CSP issue is below the 4.0 threshold, then it is considered a low severity issue.