Severity: Critical
Affected area: HTTP response headers (global)
Issue:
No CSP is sent, so XSS impact is maximized and script execution controls are absent.
Mitigation plan:
- Add baseline CSP for app pages (start report-only, then enforce).
- Remove inline scripts where possible and adopt nonce/hash strategy if needed.
- Add policy for
frame-ancestors, base-uri, and form-action.
Verification / tests:
- Response-header tests for CSP presence on HTML responses.
- Browser validation for blocked inline execution where policy disallows it.
Severity: Critical
Affected area: HTTP response headers (global)
Issue:
No CSP is sent, so XSS impact is maximized and script execution controls are absent.
Mitigation plan:
frame-ancestors,base-uri, andform-action.Verification / tests: