Missing Content-Security-Policy Header

What This Means

URLs that are missing the Content-Security-Policy response header. This header allows a website to control which resources are loaded for a page. This policy can help guard against cross-site scripting (XSS) attacks that exploit the browser’s trust of the content received from the server.

What Triggers This Issue

This issue is triggered when a URL is missing the Content-Security-Policy response header. For example: Content-Security-Policy: default-src ‘self’

How To Fix

Set a strict Content-Security-Policy response header across all page to help mitigate cross site scripting (XSS) and data injection attacks.

← Back to Security