Issue with Missing CSP Header in Report Despite Enabled "HTTP Security Headers Detection" NVT

I’m currently experiencing an issue with the HTTP Security Headers Detection NVT (OID: 1.3.6.1.4.1.25623.1.0.112081) in Greenbone. While the scan correctly identifies several missing HTTP security headers, such as X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options, it does not flag the Content-Security-Policy (CSP) header when it’s missing. I have verified that the NVT is enabled and that the target server is correctly configured to allow for header checks, but the CSP header issue is not showing up in the final report. Could anyone provide insight into why this might be happening or any potential troubleshooting steps I should take to ensure the missing CSP is properly flagged in the scan results and in the final report?

Identifying a missing CSP header is the same method as all other HTTP security headers. The plugin location should be /var/lib/openvas/plugins/gb_http_security_headers_detect.nasl , you can see it’s in an array with other headers and the regex check is case-insensitive. Are you verifying that the header is actually missing? Curl can check headers:

curl -I https://example.com

Also, note that simply checking whether it exists, doesn’t verify that it is set securely.

1 Like

The issue we’re facing are websites that are vulnerable for clickjacking, and we need the report to show if the Content Security Policy (CSP) header is missing or not set correctly. While the scan correctly flags other missing security headers like X-Frame-Options and X-XSS-Protection, it doesn’t seem to flag the missing CSP header. It’s important that the scan report clearly identifies whether the CSP header is missing or misconfigured so we can fix this security risk.

And also we checked using curl that the header is indeed missing… We simply want to know if there is another plugin that checks for the Content security policy none-existence or incorrect configuration so it can be added in the reports.

Thank you…