DEV Community


Posted on

Angular requirements and OWASP medium vulnerability

Hello, I have created an Angular application and based on the security requirements link:

Content security policy
Content Security Policy (CSP) is a defense-in-depth technique to prevent XSS. To enable CSP, configure your web server to return an appropriate Content-Security-Policy HTTP header. Read more about content security policy at the Web Fundamentals guide on the Google Developers website.

The minimal policy required for brand-new Angular is:

default-src 'self'; style-src 'self' 'unsafe-inline';
default-src 'self'; Allows the page to load all its required resources from the same origin.
style-src 'self' 'unsafe-inline'; Allows the page to load global styles from the same origin ('self') and enables components to load their styles ('unsafe-inline' - see
Angular itself requires only these settings to function correctly. As your project grows, you may need to expand your CSP settings to accommodate extra features specific to your application.

When I run a tool called OWASP ZAP IT, I am getting medium risk vulnerabilities due to the style-src unsafe-inline and script-src unsafe-inline requirement in the CSP Header for Angular.

Is there any way to mitigate this issue or articles that discuss why Angular is still secure with these settings?

Any help would be appreciated.

Thank you,

Top comments (0)

Here is a post you might want to check out:

Regex for lazy developers

regex for lazy devs

Sorry for the callout ๐Ÿ˜†