CSP Missing base-uri Directive
Pages with CSP but missing base-uri are vulnerable to base tag injection attacks.
By Seoxpert Editorial · Published
Why it matters
Missing the base-uri directive in CSP allows attackers to inject a <base> tag via XSS, rewriting all relative URLs. This can lead to hijacked links, forms, and resources, undermining user trust and site security. Search engines may penalize compromised sites, affecting SEO.
Impact
Without base-uri, a single XSS can compromise all relative URLs, risking user data and site integrity.
How it's detected
Automated crawlers scan CSP headers for the presence of a base-uri directive and flag pages where it is missing.
Common causes
- CSP configured without including base-uri directive
- Lack of awareness about base-uri's security role
- Relying on default CSP templates that omit base-uri
- Assuming base-uri is unnecessary if <base> is not used
How to fix it
Code examples
Problematic CSP header (missing base-uri)
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.comFixed CSP header (with base-uri 'self')
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; base-uri 'self'Stricter fix (with base-uri 'none')
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; base-uri 'none'FAQ
What does the base-uri directive do in CSP?
It restricts the URLs allowed in the <base> element, preventing attackers from rewriting relative URLs via XSS.
Is base-uri necessary if I don't use a <base> tag?
Yes, because an attacker could inject a <base> tag via XSS if not restricted by CSP.
Can I use base-uri 'none'?
Yes, if your site does not use the <base> element, 'none' provides the strictest security.
Will adding base-uri affect my site's functionality?
No, unless your site relies on dynamically changing the <base> tag, which is rare.
Found this issue on your site?
Run a scan to see if CSP Missing base-uri Directive affects your pages.
Scan my website →