Quick Reference
Element Code: SE-001
Issue: Content-Security-Policy header is not set
Impact: Vulnerable to XSS attacks and content injection
Fix: Implement CSP header with appropriate directives
Detection: Security scanners, browser DevTools, HTTP header inspection
What Is This Issue?
Content Security Policy (CSP) is a security header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. Without it, your site is more vulnerable to these common attack vectors.
Why This Matters
- XSS Prevention: CSP can block inline scripts and unauthorized sources
- Data Exfiltration: Limits where data can be sent
- Trust Signals: Security-conscious sites implement CSP
How to Implement
Add CSP as an HTTP header from your server:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;
Start with Report-Only
Test your policy first without blocking:
Content-Security-Policy-Report-Only: default-src 'self';
TL;DR (The Simple Version)
Your site doesn't have a Content Security Policy header. This makes it easier for attackers to inject malicious scripts. Implementing CSP helps protect against cross-site scripting attacks.
About SEO ProCheck
Technical SEO consulting and GEO strategy with 20 years of enterprise experience. Case studies, resources, and tools for search and AI visibility.
Work With Me
Technical SEO audits, GEO strategy, site migrations, and international SEO. Hourly consulting for teams who need hands-on support, not just reports.
Subscribe to our newsletter!
Recent Posts
- No Social Schema December 7, 2025
- Missing Social Profile Links December 7, 2025
- Social Image Wrong Size December 7, 2025