I am looking for a standard to refer to in order to write a security checklist that could be followed to proactively implement security at design level. I went through the OWASP ASVS, it mentions some recommendations, but they are generic. For instance, it mentions the below recommendation as part of HTTP Security Headers section:
"Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities."
I understand the importance of CSP header and that it should be properly configured, and this is what ASVS says, however, it does not state exactly how the CSP should be configured. Is there a standard that is more definitive?
