1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# https://morningstarsecurity.com/research/whatweb
##
Plugin.define do
name "Content-Security-Policy"
authors [
"Brendan Coles <bcoles@gmail.com>", # 2012-05-17
"Andrew Horton", # v0.2 # 2025-08-02 # Added modern CSP header detection
]
version "0.2"
description "Content Security Policy (CSP) helps prevent XSS attacks by restricting which resources can be loaded."
website "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"
# ShodanHQ results as at 2012-05-17 #
# 785 for X-Content-Security-Policy
# Matches #
matches [
# X-Content-Security-Policy # HTTP Server Header
{ :search=>"headers[x-content-security-policy]", :string=>/^(.*)$/ },
# X-WebKit-CSP # HTTP Server Header
{ :search=>"headers[x-webkit-csp]", :string=>/^(.*)$/ },
# Modern CSP headers
{ :search=>"headers[content-security-policy]", :string=>true, :name=>"CSP Header" },
{ :search=>"headers[content-security-policy-report-only]", :string=>true, :name=>"CSP Report-Only Header" },
]
end
|
