Will CSP prevent OWASP XSS Attack Blocking

I have a node js site that’s behind Cloudflare. One component is being blocked by the OWASP WAF rules. There are multiple XSS attack filters being tripped and one HTTP Policy for the method.

My question is this: We currently do not have a Content Security Policy in place on this system. Would implementing a CSP prevent these OWASP rules from tripping for valid XSS sources/content?

Can you share a screen of that blocked page / error page? :thinking:

If you navigate to the CF dasboard → WAF → Overview, you should see the blocked firewall event.
Could you share which Rule ID or Ruleset is shown in the details when you click to “expand” that particular firewall event in the table view from the bottom of the page? :thinking:
You’d need to troubleshoot and create an exception in whatever security setting at CF dashboard you modified which is blocking the access.

Just to clearify, is the CSP to question here or Cloudflare WAF (Managed Rules)? :thinking:

I’m just wondering if I create a content-security-policy on my site if that would work to prevent these XSS rules from applying. Then perhaps I would not have to create custom Cloudflare rules.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.