Exam CISSP topic 1 question 196 discussion

B. Content-Security-Policy The Content-Security-Policy header allows you to define a policy for controlling what types of content can be executed or loaded on a web page, including JavaScript. By specifying the appropriate directives in the Content-Security-Policy header, you can enhance the security of your web application by preventing certain types of code execution, such as inline JavaScript. This helps mitigate the risk of cross-site scripting (XSS) attacks.

Answer is B Web developers and administrators can set the X-Frame-Options header to help protect their web applications from being embedded in malicious or unauthorized frames. By preventing unauthorized framing, this header reduces the risk of clickjacking attacks and enhances the security of web applications. It's important to note that X-Frame-Options is now being replaced by the more modern Content-Security-Policy (CSP) frame-ancestors directive, which offers more fine-grained control over framing options and other security-related settings.

B. Content-Security-Policy The Content-Security-Policy (CSP) HTTP response header is used to control and restrict the types of resources that a web page can load and execute, such as scripts, images, and other media.

B. Content-Security-Policy The Content-Security-Policy (CSP) HTTP response header can be used to disable the execution of inline JavaScript and the execution of eval()-type functions. This header allows website administrators to define which sources of content are allowed to be loaded on a page, such as scripts, images, and stylesheets. By disabling inline JavaScript and eval(), the CSP header can help prevent cross-site scripting (XSS) attacks. Other HTTP headers that can be used for security are: X-XSS-Protection, which can be used to enable the browser's built-in XSS protection. X-Frame-Options, which can be used to prevent a page from being rendered within an iframe on another site. Strict-Transport-Security, which can be used to enforce the use of HTTPS on a website.

The correct answer is B, Content-Security-Policy. The Content-Security-Policy HTTP response header is used to specify policies for the browser to follow when executing content, such as JavaScript and eval()-type functions. It can be used to disable the execution of inline JavaScript and the execution of eval()-type functions. The other options listed are also HTTP response headers, but they are used for different purposes. X-XSS-Protection is used to enable the browser's built-in XSS protection, X-Frame-Options is used to prevent clickjacking attacks, and Strict-Transport-Security is used to enforce the use of secure connections (HTTPS) on a website.

Use a content security policy (CSP) that attempts to rigidly enforce same-origin restrictions for most browser-side active technologies (integrated into browsers and referenced by HTML header values). 9th Edition page 374

https://glebbahmutov.com/blog/disable-inline-javascript-for-security/ as explained is content security policy

Refer to example 5 here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

Answer is B . The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

B. The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).