Medium Vulnerability Description
The server does not include a Content-Security-Policy header in HTTP(S) responses.
Impact
Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. To use CSP, the developer writes a set of rules to govern which servers an app can open connections to, limit the types of content it can download from those servers, and restrict the use of dangerous features like inline scripts and the eval function.
Verification and Attack Information
Praetorian identified this issue through a manual application walkthrough by reviewing HTTP headers. While doing so, Praetorian noted that Content-Security-Policy header was not included in server response headers.
Recommendation
Best practices for web applications suggest that servers should specify a Content Security Policy (CSP) to whitelist the actions that their users' browsers are allowed to take.
References
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
http://www.html5rocks.com/en/tutorials/security/content-security-policy/