[Nikto-discuss] Nikto doesn't understand CSP
Sullo
csullo at gmail.com
Sun Aug 10 22:38:47 CDT 2014
It alerts because it's not in db_headers. I've added this one and
content-security-policy, thanks.
On Sat, Aug 9, 2014 at 4:13 PM, Robin Wood <robin at digi.ninja> wrote:
> I just got this in a scan using the latest Git code:
>
> + Uncommon header 'content-security-policy-report-only' found, with
> contents: default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src
> https://* about: javascript:; img-src data:
>
> Is it reported as Uncommon because it doesn't know about it or is it just
> pointing out that not many sites set it? I'd guess it is the first.
>
> Robin
>
> _______________________________________________
> Nikto is sponsored by Netsparker, a false positive free web application
> security scanner.
> Visit https://www.netsparker.com/ for more information.
> _______________________________________________
> Nikto-discuss mail list
> Nikto-discuss at attrition.org
> https://attrition.org/mailman/listinfo/nikto-discuss
>
--
http://www.cirt.net | http://richsec.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20140810/8e527fb1/attachment.html>
More information about the Nikto-discuss
mailing list