Should I be concerned or is this just noise?
The one that I can immediately help you with is Cross-Domain Javascript Source Inclusion. That one is a node in an attack vector that only works if you have some code that is vulnerable to injection like XSS or CRLF injection.Is not a vulnerability per-se, think about playing a card game and you make combos with cards during your turn. By itself, Cross-Domain Javascrip Source is not dangerous but if you don't validate user input a threat actor can use it to perform an attack.
For CSP read it about it here.https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
You just got ZAPPED by the OWASP
>>107896780Don't be too concerned, but if you have a few minutes, these are pretty easy fixes, just add a few headers:>Content-Security-Policy: frame-ancestors 'none';>X-Frame-Options: DENY>Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadAlso, try serving any JS libraries from your own domain, not a CDN. If this is not possible, add>crossorigin="anonymous" integrity="<HASH>"to your <script> elements, you can get the hash from here: https://srihash.org/
Fixed the headers (CSP, X-Frame-Options, HSTS) without issues.Tried to add SRI for https://cdn.tailwindcss.com, but hashing fails because the CDN doesn’t allow CORS / script is dynamic.Everything else is fixed, this is the only thing I couldn’t properly solve unless I self-host Tailwind.
