Skip to main content
All SEO checks
Securityinfo

Missing Content-Security-Policy header

What this check looks for

Checks whether the server sends a Content-Security-Policy response header.

Why it matters

A Content-Security-Policy restricts which sources of scripts, styles, and other resources the browser will load, which is the strongest defense against cross-site scripting and content injection. Beyond protecting users, a solid CSP signals a hardened, well-run site. Start in report-only mode to catch violations before enforcing, because an overly strict policy can break legitimate assets.

How to fix it

nginx
# Tighten sources to match what your site actually loads
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self'; base-uri 'self'" always;

# Safer rollout: report violations without blocking first
# add_header Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp-report" always;

Go deeper

Check your site for this and 120+ other issues

Analyze any URL free