No Content Security Policy header

A Content Security Policy (CSP) is a security header that tells visitors' browsers which scripts, styles, images, and other resources are allowed to load on your site. No CSP was found. Without a CSP, browsers have no safeguards against cross-site scripting (XSS) attacks — the most common web exploit. If any script on your page is compromised (your own code or a third-party widget), attackers can steal login credentials, inject malicious content, or redirect visitors. CSP is the primary recommended defence against XSS in the OWASP Top 10. Work with your developer to add a CSP header to your web server or CDN configuration. Start with a permissive policy that logs violations without blocking anything, review what it catches over a week, then tighten it. Most CDN providers have a CSP template to start from.

Why this matters

Without a CSP, browsers have no safeguards against cross-site scripting (XSS) attacks — the most common web exploit. If any script on your page is compromised (your own code or a third-party widget), attackers can steal login credentials, inject malicious content, or redirect visitors. CSP is the primary recommended defence against XSS in the OWASP Top 10.

How to fix it

Work with your developer to add a CSP header to your web server or CDN configuration. Start with a permissive policy that logs violations without blocking anything, review what it catches over a week, then tighten it. Most CDN providers have a CSP template to start from.