Security: Missing Content-Security-Policy Header

back to issues overview

Missing Content-Security-Policy Header

URLs that are missing the Content-Security-Policy response header. This header allows a website to control which resources are loaded for a page.

This policy can help guard against cross-site scripting (XSS) attacks that exploit the browser’s trust of the content received from the server.

How to Analyse in the SEO Spider

Use the ‘Security’ tab and ‘Missing Content-Security-Policy Header’ filter to view these URLs and export all URLs using the ‘Export’ button.

The SEO Spider only checks for existence of the header, and does not interrogate the policies found within the header to determine whether they are well set-up for the website. This should be performed manually.

What Triggers This Issue

This issue is triggered when a URL is missing the Content-Security-Policy response header.

For example:

Content-Security-Policy: default-src 'self'

How To Fix

Set a strict Content-Security-Policy response header across all page to help mitigate cross site scripting (XSS) and data injection attacks.

Further Reading

Back to top