Content Security Policy (CSP) Header Not Set

[dsotirho-ucsc]

From ZAP v2.1.5.0 scan on 2025-03-03
Finding severity: Medium

The following URLs (of 404 pages) were found to lack a CSP header:

• https://data.humancellatlas.org/favicon-32x32.png
• https://data.humancellatlas.org/index/catalogs
• https://data.humancellatlas.org/metadata/dictionary/biomaterial/cell_line
• https://data.humancellatlas.org/metadata/dictionary/file/analysis_file
• https://data.humancellatlas.org/metadata/dictionary/file/sequence_file
• https://data.humancellatlas.org/metadata/dictionary/process/analysis_process
• https://data.humancellatlas.org/metadata/dictionary/project/project
• https://data.humancellatlas.org/metadata/dictionary/protocol/aggregate_generation_protocol
• https://data.humancellatlas.org/metadata/dictionary/protocol/sequencing_protocol
• https://data.humancellatlas.org/robots.txt

Recommended Solution:

• Add a CSP header to all 404 pages
• Additionally, if any of the URLs above exist as links on the Portal, replace/remove the link.

[achave11-ucsc]

Assignee to coordinate with CC.

[bvizzier-ucsc]

@NoopDog Please address when you can. As a medium finding, it has a 90 day timer.

[NoopDog]

Ok, I have an approach for this, and the ticket is assigned. It should be fixed in the next few days.

[achave11-ucsc]

Assignee to coordinate with CC.

[NoopDog]

@bvizzier-ucsc this is ready to re-test.

[NoopDog]

We will address the links portion of this ticket here.