No CSS Guidance

Edit online

Characteristic Description

Cascading style sheets (CSS) are used on web pages to style how content is presented. Pages without CSS indicate to an attacker that the target may have been developed hastily or that the target may be forgotten or not monitored. These targets often have easy to exploit bugs making them good targets for research. Additionally these targets may offer valuable points of presence from which attackers can launch further intrusion into systems with less fear of being caught or frustrated by defensive tools.

Recommendation

Configure

Consider updating pages to include CSS markup or removing these pages from public access by hardening the server's configuration.

Other Options

Control

If there is a business need for web content that does not use CSS, consider restricting access or placing these systems behind a VPN. Segment the servers hosting the site to dedicated networks and limit their access to more sensitive areas within your organization.

Accept

In cases where a site without CSS must be available publicly, it is safe to accept this risk. Closely monitor access to the site and the underlying server(s) to prevent them from being used against you. Here again, segmentation of the servers is recommended to limit the damage of a successful attack.