### Context
Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn’t itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack.

### Impact
There aren’t any XSS attack vectors via the Apollo Server landing pages _known to Apollo_, so to our knowledge there is no impact. However, if there are existing XSS vectors that haven’t been reported and patched, then all users of Apollo Server’s landing pages have a vulnerability which won’t be prevented by the current CSP implemented by the landing pages.

### Patches
The issue is patched in the latest version of Apollo Server, v4.7.4.

### Workarounds
The landing page can be disabled completely until the patch can be upgraded to.
https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page

### References
https://content-security-policy.com/nonce/Read More