Pages with CSP but missing base-uri are vulnerable to base tag injection attacks.
By Seoxpert Editorial · Published
Missing the base-uri directive in CSP allows attackers to inject a <base> tag via XSS, rewriting all relative URLs. This can lead to hijacked links, forms, and resources, undermining user trust and site security. Search engines may penalize compromised sites, affecting SEO.
Without base-uri, a single XSS can compromise all relative URLs, risking user data and site integrity.
Automated crawlers scan CSP headers for the presence of a base-uri directive and flag pages where it is missing.
Problematic CSP header (missing base-uri)
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.comFixed CSP header (with base-uri 'self')
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; base-uri 'self'Stricter fix (with base-uri 'none')
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; base-uri 'none'It restricts the URLs allowed in the <base> element, preventing attackers from rewriting relative URLs via XSS.
Yes, because an attacker could inject a <base> tag via XSS if not restricted by CSP.
Yes, if your site does not use the <base> element, 'none' provides the strictest security.
No, unless your site relies on dynamically changing the <base> tag, which is rare.
Run a scan to see if CSP Missing base-uri Directive affects your pages.
Scan my website →