5.3.3 Ensure that Content Security Policy (CSP) is enabled and configured properly

Information

Content Security Policy allows administrators to specify the locations from which allowable scripts may be executed, or if scripts may be executed at all. Content Security Policy should be used to improve user trust of your website.

Rationale:

Content Security Policies assist organizations in mitigating and reporting cross-site scripting (XSS) attacks.

Solution

Open your nginx configuration file that contains your server blocks. Add the below line into your server block to add Content-Security-Policy and direct your user agent to accept documents from only specific origins.

add_header Content-Security-Policy 'default-src 'self'' always;

Default Value:

This is not enabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1), CSCv7|2.9

Plugin: Unix

Control ID: 169568fd40a2464982d604e638c70b92aa4e1d46b5c878d3a40533d643e7e3f0