Hello, I have created an Angular application and based on the security requirements link:
https://angular.io/guide/security
Content security policy
Content Security Policy (CSP) is a defense-in-depth technique to prevent XSS. To enable CSP, configure your web server to return an appropriate Content-Security-Policy HTTP header. Read more about content security policy at the Web Fundamentals guide on the Google Developers website.
The minimal policy required for brand-new Angular is:
content_copy
default-src 'self'; style-src 'self' 'unsafe-inline';
SECTIONS DETAILS
default-src 'self'; Allows the page to load all its required resources from the same origin.
style-src 'self' 'unsafe-inline'; Allows the page to load global styles from the same origin ('self') and enables components to load their styles ('unsafe-inline' - see
angular/angular#6361
).
Angular itself requires only these settings to function correctly. As your project grows, you may need to expand your CSP settings to accommodate extra features specific to your application.
When I run a tool called OWASP ZAP IT, I am getting medium risk vulnerabilities due to the style-src unsafe-inline and script-src unsafe-inline requirement in the CSP Header for Angular.
Is there any way to mitigate this issue or articles that discuss why Angular is still secure with these settings?
Any help would be appreciated.
Thank you,
Jeff
Latest comments (0)