Content-Security-Policy

Checks for CSP header that restricts script sources — major XSS defense.

What this check measures

We read the `Content-Security-Policy` response header and verify it restricts script-src, style-src, and frame-ancestors. Absent or `unsafe-inline` policies are flagged.

Why it matters

CSP is the browser's built-in XSS defense. Without it, any XSS vuln (stored or reflected) executes freely. With a tight CSP, injected scripts are blocked even if they make it into the DOM. Modern banking and SaaS apps all ship CSP.

How our audit detects it

Parse Content-Security-Policy header. Check for script-src restriction, presence of unsafe-inline or unsafe-eval. Also check frame-ancestors.

Typical findings

error_outlineNo CSP header at all.
error_outlineCSP allows unsafe-inline — defeats purpose.
error_outlineCSP missing frame-ancestors — no clickjacking defense.
error_outlineCSP broken with wildcards (*) — allows everything.

How to fix

Start with `Content-Security-Policy-Report-Only` for a week to see violations without breaking. Tighten to `script-src 'self' https://trusted.com; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';` and switch to enforcing.

Copy-paste fix prompt for your stack

Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44

View the fix prompt →

Frequently asked questions

Will CSP break my site?expand_more

Possibly — inline scripts/styles need refactoring or nonces. Start with Report-Only mode to find violations before enforcing.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

Content-Security-Policy

What this check measures

Why it matters

How our audit detects it

Typical findings

How to fix

Frequently asked questions

Want this checked on your site?

Related checks

HTTPS Enabled

TLS Version

Mixed Content

SSL Certificate