Content-Security-Policy Header is Missing

Impact: Low


The absence of the Content-Security-Policy (CSP) response header leaves a website vulnerable to various types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. Without CSP, attackers can exploit vulnerabilities in the web application to execute malicious scripts, steal sensitive data, or deface the site.


To enhance security, configure your server to send the Content-Security-Policy header for all pages with a well-defined policy that restricts the sources from which content can be loaded and executed. Implementing CSP effectively requires careful consideration of the web application’s functionality and dependencies.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue