Missing Content-Security-Policy Header
No Content-Security-Policy (CSP) header is set, leaving the site vulnerable to cross-site scripting (XSS) and data injection attacks.
What is Missing Content-Security-Policy Header?
Content-Security-Policy (CSP) is the most powerful defense against cross-site scripting (XSS). It tells the browser which sources of content (scripts, styles, images, fonts) are allowed to load and execute. Without CSP, any injected script — whether from a stored XSS vulnerability, a third-party library compromise, or a malicious advertisement — will execute freely in your users' browsers. CSP is the last line of defense when input validation and output encoding fail.
Why It Matters to Your Business
Without CSP, a single XSS vulnerability can lead to credential theft, session hijacking, defacement, malware distribution, and full account takeover. The average cost of an XSS-related breach is $1.5M according to IBM's Cost of a Data Breach report. CSP dramatically reduces the blast radius of XSS by blocking unauthorized scripts.
How to Fix It
Start with a report-only CSP to identify violations, then enforce: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; Once you've fixed violations, switch to enforcement: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; upgrade-insecure-requests; For Nginx: add_header Content-Security-Policy "default-src 'self'; ..." always; For Apache: Header always set Content-Security-Policy "default-src 'self'; ..."
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-79: Cross-site Scripting |
| Detected By | headers scanner(s) |
| Severity Level | high |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our headers scanner checks for this issue automatically.
Scan My Website FreeRelated Vulnerabilities
Missing HSTS Header
The HTTP Strict Transport Security (HSTS) header is missing, allowing browsers to silently downgrade HTTPS connections to HTTP.
Missing X-Frame-Options Header (Clickjacking)
The X-Frame-Options header is missing, allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).
Insecure Cookie Configuration
Session cookies are missing the Secure, HttpOnly, or SameSite attributes, exposing them to theft via XSS, MITM, or CSRF.
CORS Misconfiguration
The server reflects arbitrary Origin headers with credentials, allowing any website to make authenticated cross-origin requests.