Cybersecurity Issue: Security Header settings insecure (OWASP A05:2021 Security Misconfiguration)

Report a Bug
1

I believe it’s a general issue.

Description

As our client requested, we ran a Vulnerability Assessment, targeting the web-admin and web-client side.

The result shows that Glide Apps has multiple medium-risk issues; one of them is OWASP A05:2021 Security Misconfiguration, caused by insecure CSP (content-security-policy) setting.,

How to replicate

  1. Open any of your Glide App web-client or web-admin page.

  2. Navigate to the Internet requests. For example, in Google Chrome, open DevTools > Internet.

  3. Navigate to any request that goes to [GET] https://your-app.glide.page with param /?reqid=YourToken ; or justAtoken sent from document

  4. Look up to request header.

You will find that header filled with

content-security-policy default-src https: data: blob: wss: 'unsafe-inline' 'unsafe-eval'

, like:

截圖 2025-08-25 下午6.48.54
截圖 2025-08-25 下午6.48.542602×1312 449 KB

Fix Suggestion

According to our cybersecurity partner, it is suggested that below changes should fix this:

  1. rewrite it as content-security-policy:default-src ‘none’;
  2. or just avoid using ‘unsafe-inline’ params
2

@comm_support_agent

@Samuel.Chou.OM next time, you can use the support chat for that :slight_smile:

3

I will repeat what you were told back in April.

The forum isn’t the right place for this. Please report any suspected vulnerabilities to the team directly via security[at]glideapps.com

This is a user to user forum. We can’t help you with things like this. Contacting Glide directly is the better option.

4

Oh……I apologize for my misunderstanding. Thought it’d be good to raise issue here. Next time I will try using support chat. Thanks!

(Also I didn’t see any replies in April. I’ll double-check it. Thanks for mention!)

5

You can send your concerns to the email address listed above.