All SEO checks
Securityinfo
Missing Content-Security-Policy header
What this check looks for
Checks whether the server sends a Content-Security-Policy response header.
Why it matters
A Content-Security-Policy restricts which sources of scripts, styles, and other resources the browser will load, which is the strongest defense against cross-site scripting and content injection. Beyond protecting users, a solid CSP signals a hardened, well-run site. Start in report-only mode to catch violations before enforcing, because an overly strict policy can break legitimate assets.
How to fix it
nginx
# Tighten sources to match what your site actually loads
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self'; base-uri 'self'" always;
# Safer rollout: report violations without blocking first
# add_header Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp-report" always;Go deeper
Check your site for this and 120+ other issues
Analyze any URL free