A strict-looking content security policy isn’t always a secure one.
During a recent engagement, we came across a policy that had all the right bits on paper including nonces, locked-down sources, and everything you'd expect.
But one missing directive "base-uri" was all it took to break it wide open.
By injecting a <base> tag, we redirected script loading to an attacker-controlled domain. XSS payload delivered. CSP bypassed.
CSPs need more than checkboxes. They need context, testing, and attention to the small stuff.
Here’s what went wrong and how to avoid it: https://www.pentestpartners.com/security-blog/csp-directives-base-ic-misconfigurations-with-big-consequences/