high HTTP Headers

Missing Content-Security-Policy Header

No Content-Security-Policy (CSP) header is set, leaving the site vulnerable to cross-site scripting (XSS) and data injection attacks.

Severity
high
Time to Fix
2-4 hours (depending on third-party scripts)
Difficulty
medium
OWASP
A05:2021 — Security Misconfiguration

What is Missing Content-Security-Policy Header?

Content-Security-Policy (CSP) is the most powerful defense against cross-site scripting (XSS). It tells the browser which sources of content (scripts, styles, images, fonts) are allowed to load and execute. Without CSP, any injected script — whether from a stored XSS vulnerability, a third-party library compromise, or a malicious advertisement — will execute freely in your users' browsers. CSP is the last line of defense when input validation and output encoding fail.

Why It Matters to Your Business

Without CSP, a single XSS vulnerability can lead to credential theft, session hijacking, defacement, malware distribution, and full account takeover. The average cost of an XSS-related breach is $1.5M according to IBM's Cost of a Data Breach report. CSP dramatically reduces the blast radius of XSS by blocking unauthorized scripts.

How to Fix It

Start with a report-only CSP to identify violations, then enforce:

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;

Once you've fixed violations, switch to enforcement:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; upgrade-insecure-requests;

For Nginx: add_header Content-Security-Policy "default-src 'self'; ..." always;
For Apache: Header always set Content-Security-Policy "default-src 'self'; ..."

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-79: Cross-site Scripting
Detected Byheaders scanner(s)
Severity Levelhigh

Check if your website has this vulnerability

Our headers scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities