Improper Tauri Security Configuration

Base Metric	score	severity
overall	3.1	low

Type: Weakness

Status: open

Reporting Date: 2023.04.04

The application is missing a Content Security policy to add a defense-in-depth layer against adversaries.

Description

The Tauri security configuration is not properly faciliated, as the Content Security Policy is not configured.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.¹

We observed the following configuration:

  "security": {
      "csp": null
    },

We could not observe a CSP defined or set with a bundler or other frameworks in use.

A helpful website to improve, define and learn about the CSP is https://csp-evaluator.withgoogle.com/.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Impact

The csp value was not defined, which allows adversaries to direcly exploit found vulnerabilities. This is a weakness and impact depends on the vulnerabilities abused in the attack scenario.

Recommendation

Enable the CSP
Harden the CSP as much as possible

Bloop.ai Tauri Component Audit

Improper Tauri Security Configuration

Description

Impact

Recommendation