Update 0x50-V50-Web-Frontend-Security.md

Addressing #1311
OWASP · Nov 7, 2024 · f6ed6cd · f6ed6cd
1 parent 2df9034
commit f6ed6cd
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/5.0/en/0x50-V50-Web-Frontend-Security.md b/5.0/en/0x50-V50-Web-Frontend-Security.md
@@ -18,7 +18,7 @@ The category focuses on requirements that protect against attacks that are execu
 
 | # | Description | L1 | L2 | L3 | CWE |
 | :---: | :--- | :---: | :---: | :---: | :---: |
-| **50.2.1** | [MODIFIED, MOVED FROM 14.4.3] Verify that a Content-Security-Policy response header field is in place that helps mitigate impact for XSS attacks like HTML, DOM, CSS, JSON, and JavaScript injection vulnerabilities. | ✓ | ✓ | ✓ | |
+| **50.2.1** | [MODIFIED, MOVED FROM 14.4.3] Verify that every HTTP response includes a Content-Security-Policy (CSP) header field to reduce the risk of malicious JavaScript. For L2, allowlists and a global policy may be used. For L3, a per-response policy with nonces or hashes, and object-src and base-uri set to 'none,' must be defined. | ✓ | ✓ | ✓ | |
 | **50.2.2** | [GRAMMAR, MOVED FROM 14.4.4] Verify that all responses contain a X-Content-Type-Options: nosniff header field. | ✓ | ✓ | ✓ | 116 |
 | **50.2.3** | [MODIFIED, MOVED FROM 14.4.5] Verify that a Strict-Transport-Security header field is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains. | ✓ | ✓ | ✓ | 523 |
 | **50.2.4** | [GRAMMAR, MOVED FROM 14.4.6] Verify that a suitable Referrer-Policy header field is included to avoid exposing sensitive information in the URL through the Referer header field to untrusted parties. | ✓ | ✓ | ✓ | 116 |