Content Security Policy (CSP) Missing or Weak

High Severity Technical Guide

Vulnerability Description

Content Security Policy (CSP) is an HTTP header that allows site operators to restrict the resources (such as JavaScript, CSS, Images) that the browser is allowed to load for a given page. A missing or weakly configured CSP makes a site highly susceptible to Cross-Site Scripting (XSS) and data injection exploits.

Remediation Guide

To resolve this vulnerability, follow these config changes or developer practices:

Define and send a Content-Security-Policy header. Start with a secure default-src policy and whitelist only trusted origins:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trustedscripts.com; style-src 'self' 'unsafe-inline';

Verify Your Fix

After applying the remediation, run an external attack-surface scan to verify that the vulnerability is no longer detected by WebScanify.

Is your website vulnerable?

Run a free security scan now to identify missing headers, outdated JS, and other deployment vulnerabilities.

Content Security Policy (CSP) Missing or Weak

Vulnerability Description

Remediation Guide

Verify Your Fix

Share this Guide

Is your website vulnerable?