Security headers · Check

Content Security Policy (CSP) missing — what it is and how to add one safely

Content-Security-Policy (CSP) is the browser-enforced rule set that limits which scripts, styles, and connections your pages may use. Without a CSP, an injected script tag (or a compromised third-party SDK) executes with no extra friction.

Why it matters

Even a starter CSP — `default-src 'self'; base-uri 'self'; form-action 'self'` — measurably reduces the blast radius of common XSS and supply-chain bugs.

Real-world risk

Without CSP, injected script runs with fewer browser-enforced limits; XSS impact is often worse.

Fix steps (in order)

Add Content-Security-Policy (start with report-only if needed): Content-Security-Policy: default-src 'self'; base-uri 'self'; form-action 'self'
Tighten script-src over time; avoid unsafe-inline in production where possible.

Example configurations

Patterns for common stacks. Set headers at your CDN, load balancer, or origin as appropriate.

nginx · nginx

add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'" always;

Express (helmet) · typescript

import helmet from "helmet";
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      baseUri: ["'self'"],
      formAction: ["'self'"],
    },
  }),
);

Apache · apache

Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'"

Topic explainer

What is Content Security Policy (CSP)? A practical explainer →

An accessible explanation of Content Security Policy: what it does, why it exists, the directives that matter, and how to roll one out without breaking your app.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (missing_csp) clears once the externally-observable signal is in place.

Run a free scan Methodology