Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Avoid unsafe Content-Security-Policy literals

Static CSP header values should not rely on unsafe-inline, unsafe-eval, or unsafe-hashes without nonces.

#Metadata

Rule ID
ts.security.insecure-content-security-policy-literal
Severity
medium
Confidence
0.8
Languages
javascript, typescript
Presets
security, strict
Stability
stable
Applies to
block
Tags
csp, headers, rules-catalog, security

#Why it matters

Permissive CSP keywords weaken XSS defenses for every response that carries the header.

#Remediation

Prefer nonces or hashes, remove unsafe-inline and unsafe-eval, and scope directives to the smallest required surface.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.insecure-content-security-policy-literal.rule.yaml.

Back to directoryOpen rule in repository