Cybersecurity Issue: Security Header settings insecure (OWASP A05:2021 Security Misconfiguration)

I believe it’s a general issue.

Description

As our client requested, we ran a Vulnerability Assessment, targeting the web-admin and web-client side.

The result shows that Glide Apps has multiple medium-risk issues; one of them is OWASP A05:2021 Security Misconfiguration, caused by insecure CSP (content-security-policy) setting.,

How to replicate

1. Open any of your Glide App web-client or web-admin page.

2. Navigate to the Internet requests. For example, in Google Chrome, open DevTools > Internet.

3. Navigate to any request that goes to [GET] https://your-app.glide.page with param /?reqid=YourToken ; or justAtoken sent from document

4. Look up to request header.

You will find that header filled with

, like:

截圖 2025-08-25 下午6.48.542602×1312 449 KB

Fix Suggestion

According to our cybersecurity partner, it is suggested that below changes should fix this:

1. rewrite it as content-security-policy：default-src ‘none’;
2. or just avoid using ‘unsafe-inline’ params

@comm_support_agent

@Samuel.Chou.OM next time, you can use the support chat for that

I will repeat what you were told back in April.

The forum isn’t the right place for this. Please report any suspected vulnerabilities to the team directly via security[at]glideapps.com

This is a user to user forum. We can’t help you with things like this. Contacting Glide directly is the better option.

Oh……I apologize for my misunderstanding. Thought it’d be good to raise issue here. Next time I will try using support chat. Thanks!

(Also I didn’t see any replies in April. I’ll double-check it. Thanks for mention!)

You can send your concerns to the email address listed above.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.