require-csp-headers
CWE: CWE-1021
Keywords: require csp headers, Content Security Policy, security, ESLint rule, CWE-1021, XSS, Helmet CWE: CWE-1021: Improper Restriction of Rendered-UI Layers or Frames
OWASP Mobile: OWASP Mobile Top 10 M8: Security Misconfiguration
Quick Summary
| Aspect | Details |
|---|---|
| Severity | Medium (XSS Mitigation) |
| Auto-Fix | ❌ No (requires policy definition) |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | Web servers serving HTML content |
| Suggestions | ✅ Advice on using Helmet for standard policies |
Vulnerability and Risk
Vulnerability: A missing or weak Content Security Policy (CSP) leaves an application vulnerable to Cross-Site Scripting (XSS), clickjacking, and data injection attacks.
Risk: Without a CSP, the browser has no way of knowing if a script running on the page is legitimate or has been injected by an attacker. A successful XSS attack can lead to session theft, credential harvesting, and defacement.
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-1021 OWASP:M8 | Missing CSP detected | MEDIUM [XSS Mitigation]
Fix: Use helmet.contentSecurityPolicy() or set CSP header manually | https://cwe.mitre.org/data/definitions/1021.htmlMessage Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-1021 OWASP:M8 |
| Issue Description | Specific vulnerability | Missing CSP detected |
| Severity & Compliance | Impact assessment | MEDIUM [XSS Mitigation] |
| Fix Instruction | Actionable remediation | Use helmet.contentSecurityPolicy() |
| Technical Truth | Official reference | Improper Restriction |
Rule Details
This rule flags Express response methods like res.render() or res.send() when they appear to be sending HTML content without a corresponding CSP header being configured.
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🕵️ XSS | Session theft and data leakage | Define strict script-src and object-src |
| 🚀 Exfiltration | Stealing data to external sites | Use connect-src to restrict outgoing requests |
| 🤝 Trust | Site used for phishing | Use frame-ancestors to prevent clickjacking |
Configuration
This rule has no configuration options in the current version.
Examples
❌ Incorrect
// Sending HTML directly without CSP headers
app.get('/', (req, res) => {
res.send('<!DOCTYPE html><html><body><h1>Hello World</h1></body></html>');
});
// Rendering a view without global CSP middleware
app.get('/home', (req, res) => {
res.render('index', { title: 'Home' });
});✅ Correct
res.send({ data: 'json' })Known False Negatives
The following patterns are not detected due to static analysis limitations:
Global Middleware
Why: This rule is a heuristic and analyzes files individually. If you have global middleware like helmet in a central app.js, individual route handlers might still be flagged.
Mitigation: Use // eslint-disable-next-line for route handlers in projects where CSP is enforced globally.
Non-Standard Express Methods
Why: Custom response wrappers or other frameworks might use different methods to send HTML.
Mitigation: Standardize on a security-first framework and ensure it's applied consistently.