Content Security Policy (CSP)
Content Security Policy is an HTTP header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which content sources are allowed to load.
Why It Matters
XSS attacks remain one of the most common web vulnerabilities. CSP acts as a defense-in-depth layer that can block malicious scripts even if your application has XSS vulnerabilities. Without CSP, attackers can inject scripts that steal user data, hijack sessions, or deface your website.
How We Check
We analyze your Content-Security-Policy header for proper directives including default-src, script-src, style-src, and frame-ancestors. We check for unsafe patterns like 'unsafe-inline' and 'unsafe-eval' that weaken protection.
How to Fix
Add a Content-Security-Policy header starting with a restrictive policy like default-src 'self'. Use nonces or hashes instead of 'unsafe-inline' for inline scripts. Start with report-only mode to identify issues before enforcing.
Related Security Checks
Related Tool
Security Headers Checker
Run all 10 related checks with our free security headers checker
Check Your Website Now
Run a free security scan to check for Content Security Policy (CSP) issues and 58+ other security vulnerabilities.
Scan Your Website Free