base-uri restricted

ab-002424 · security-headers-ii.csp-quality.base-uri-restricted

Severity: mediumactive

Why it matters

A missing base-uri directive lets an attacker who can inject a <base href='https://attacker.com'> tag redirect every relative URL on the page — scripts, stylesheets, form actions, and navigation links — to an attacker-controlled origin. Unlike XSS, this attack requires no JavaScript execution: injecting a single <base> tag is sufficient to compromise the entire page's resource resolution. CWE-79 and CWE-1021 (Improper Restriction of Rendered UI Layers) both apply. OWASP A03 categorizes base-tag injection as a client-side injection technique distinct from classic XSS.

Severity rationale

Medium because base-tag injection requires the ability to inject HTML content, which is a prerequisite condition, but when present it hijacks all relative URL resolution with a single tag.

Remediation

Add base-uri 'self' or base-uri 'none' to your CSP. Unlike most directives, base-uri does not inherit from default-src — it must be specified explicitly.

Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'nonce-{perRequest}' 'strict-dynamic'

If your application does not use any <base> tags (most don't), prefer base-uri 'none' for maximum restriction. Check grep -r '<base' src/ to confirm zero usage before setting 'none'.

Detection

ID: base-uri-restricted
Severity: medium
What to look for: Parse the CSP header for the base-uri directive. Also search all page components for <base> tag usage. Without base-uri restriction, an attacker who can inject a <base> tag can hijack all relative URLs on the page — scripts, stylesheets, links, and form actions would all resolve to the attacker's domain. Count pages with <base> tags.
Pass criteria: base-uri is set to 'self' or 'none' — no more than 1 source allowed. Count all pages with <base> tags (expect 0 in most projects) and report: "base-uri set to 'self'. X pages found with tags."
Fail criteria: No base-uri directive in CSP.
Skip (N/A) when: No Content-Security-Policy header configured. Run Security Headers & Basics first.
Detail on fail: "No base-uri directive in CSP — injected <base> tags can hijack all relative URLs on the page" or "base-uri is set to '*' — provides no protection against base tag injection"
Remediation: Add base-uri to your CSP to prevent base tag injection attacks:
```
base-uri 'self'
```
If your application does not use <base> tags at all (most don't), use 'none' for maximum protection. Note that base-uri does not fall back to default-src — it must be specified explicitly.

External references

cwe · CWE-79
cwe · CWE-1021
owasp:2021 · A03

Taxons

injection-and-input-trust

History

2026-04-18·v1.0.0·Initial import from security-headers-ii·automated

Why it matters

Remediation

Add base-uri 'self' or base-uri 'none' to your CSP. Unlike most directives, base-uri does not inherit from default-src — it must be specified explicitly.

Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'nonce-{perRequest}' 'strict-dynamic'

If your application does not use any <base> tags (most don't), prefer base-uri 'none' for maximum restriction. Check grep -r '<base' src/ to confirm zero usage before setting 'none'.

Detection

ID: base-uri-restricted
Severity: medium
What to look for: Parse the CSP header for the base-uri directive. Also search all page components for <base> tag usage. Without base-uri restriction, an attacker who can inject a <base> tag can hijack all relative URLs on the page — scripts, stylesheets, links, and form actions would all resolve to the attacker's domain. Count pages with <base> tags.
Pass criteria: base-uri is set to 'self' or 'none' — no more than 1 source allowed. Count all pages with <base> tags (expect 0 in most projects) and report: "base-uri set to 'self'. X pages found with tags."
Fail criteria: No base-uri directive in CSP.
Skip (N/A) when: No Content-Security-Policy header configured. Run Security Headers & Basics first.
Detail on fail: "No base-uri directive in CSP — injected <base> tags can hijack all relative URLs on the page" or "base-uri is set to '*' — provides no protection against base tag injection"
Remediation: Add base-uri to your CSP to prevent base tag injection attacks:
```
base-uri 'self'
```
If your application does not use <base> tags at all (most don't), use 'none' for maximum protection. Note that base-uri does not fall back to default-src — it must be specified explicitly.