App Control: PCI Vulnerability Scan of App Control Fails Due To Missing Content Security Policy HTTP Header
Article ID: 291535
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
PCI vulnerability scan of App Control Server fails due to missing Content Security Policy HTTP header
Environment
- App Control Server: All Versions
Cause
App Control does not utilize a Content Security Policy, as this would prevent by default a lot of the behavior in the App Control web application.
Resolution
Work with third party vulnerability scan vendor to configure scanner to ignore this missing Content Security Policy.
Additional Information
- Misconfigured CSP is a missing best practice not a vulnerability, and PCI scans can be configured to ignore such issues.
- CSP has a lot of shortcomings and can have significant negative impacts on a product especially if it’s not a modern client side application.
- The main benefit for CSP is that it prevents XSS and inclusion from untrusted control sphere, but first one would need to have those vulnerabilities to begin with. If the Vulnerability Scan found a XSS, that would be the real vulnerability - missing CSP is just a missing mitigation for it.
- To pass a PCI scan all CVSS 4 and above issues must be resolved. If the missing CSP issue is below the 4.0 threshold, then it is considered a low severity issue.
- Related to 'Clickjacking' vulnerability
Feedback
Yes
No
Powered by
