High severity

Missing Content Security Policy (CSP)

CSP is the "nuclear option" against Cross-Site Scripting (XSS). It tells the browser exactly which domains are allowed to run code on your page.

Business risk

Without CSP, any script injected into your page (via a compromised ad, a malicious npm package, or a user comment) can execute with full permissions. It can steal cookies, read local storage, and redirect users. CSP blocks unauthorized scripts from loading entirely.

Technical details

Pitfall: Don't just set `default-src: *`. That does nothing. Start with `default-src 'none'` and unlock only what you need. Use `Content-Security-Policy-Report-Only` header first to see what *would* break without actually breaking it, logging violations to a service like Sentry or URIports.

How to detect it

CSP ships as the `Content-Security-Policy` response header (or `Content-Security-Policy-Report-Only` during rollout). A missing or permissive policy is trivial to spot in one curl. Google's CSP Evaluator will grade an existing policy.

Check the header is present

curl -sI https://yourdomain.com | grep -i content-security-policy

Inspect the full directive set

curl -sI https://yourdomain.com | grep -i "^content-security-policy" | fold -s -w 120

Score the policy

https://csp-evaluator.withgoogle.com/?url=https://yourdomain.com

Common pitfalls

Shipping `default-src *` and calling it done. The wildcard allows every origin, which is the opposite of what CSP is for. Start from `default-src 'none'` and add sources you actually need.
Jumping to enforcement without a Report-Only phase. Use `Content-Security-Policy-Report-Only` first and collect violations through a `report-to` endpoint for 1-2 weeks before switching to the enforcing header.
Leaving `'unsafe-inline'` and `'unsafe-eval'` in the script-src. These two keywords neuter the XSS defense CSP is meant to provide. Move inline scripts to external files or adopt a nonce or hash strategy.
Omitting `frame-ancestors`. Without it, CSP does nothing to prevent clickjacking. Set `frame-ancestors 'none'` (or a specific allowlist) in addition to `X-Frame-Options`.
Setting the policy via a `<meta http-equiv>` tag for a header-only directive. `frame-ancestors`, `report-uri`, and `sandbox` are ignored in meta tags. Ship via the HTTP header.

Remediation guide

// next.config.js
// Only use 'unsafe-inline' if necessary (e.g. Google Tag Manager)
const cspHeader = `
    default-src 'self';
    script-src 'self' 'nonce-{random}' 'strict-dynamic';
    style-src 'self' 'unsafe-inline';
    object-src 'none';
    base-uri 'self';
    frame-ancestors 'none';
    block-all-mixed-content;
`;

javascript

External references

Frequently asked questions

Report-Only or enforcing - which do I ship first?

Always Report-Only first. The browser parses the policy, reports violations via `report-to`, but does not block anything. Once you have zero legitimate violations across real traffic for 1-2 weeks, switch to the enforcing `Content-Security-Policy` header.

When is `unsafe-inline` actually OK?

Briefly, during migration. If you need to accept inline styles for a legacy page, keep `unsafe-inline` in `style-src` only (never `script-src`) and plan the move to external stylesheets. For scripts, prefer nonces or `strict-dynamic` with a hash-based fallback.

Nonces or hashes for inline scripts?

Nonces are easier at request time (generate a random value per response, inject it into the script tag and the header). Hashes are better for static templates but need a rebuild step when the script changes. Most teams use nonces in dynamic apps and hashes for build-time assets.

Keep going

Related guide

Missing Subresource Integrity (SRI)

Medium severity · Content

Related guide

Unsafe Links (Reverse Tabnabbing)

Medium severity · Content

Related guide

Missing X-Frame-Options

Medium severity · Content

Deep guide

CSP Safe Rollout: Report-Only to Enforce in Six Stages

Deploy a Content-Security-Policy that actually stops XSS - without shipping a broken site.

Free tool

CSP Checker

Validate your CSP in one scan - catches the mistakes linters miss.

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.

How to detect it

Check the header is present

curl -sI https://yourdomain.com | grep -i content-security-policy

Inspect the full directive set

curl -sI https://yourdomain.com | grep -i "^content-security-policy" | fold -s -w 120

Score the policy

https://csp-evaluator.withgoogle.com/?url=https://yourdomain.com

Common pitfalls

Shipping `default-src *` and calling it done. The wildcard allows every origin, which is the opposite of what CSP is for. Start from `default-src 'none'` and add sources you actually need.

Jumping to enforcement without a Report-Only phase. Use `Content-Security-Policy-Report-Only` first and collect violations through a `report-to` endpoint for 1-2 weeks before switching to the enforcing header.

Leaving `'unsafe-inline'` and `'unsafe-eval'` in the script-src. These two keywords neuter the XSS defense CSP is meant to provide. Move inline scripts to external files or adopt a nonce or hash strategy.

Omitting `frame-ancestors`. Without it, CSP does nothing to prevent clickjacking. Set `frame-ancestors 'none'` (or a specific allowlist) in addition to `X-Frame-Options`.

Setting the policy via a `<meta http-equiv>` tag for a header-only directive. `frame-ancestors`, `report-uri`, and `sandbox` are ignored in meta tags. Ship via the HTTP header.

Remediation guide

// next.config.js
// Only use 'unsafe-inline' if necessary (e.g. Google Tag Manager)
const cspHeader = `
    default-src 'self';
    script-src 'self' 'nonce-{random}' 'strict-dynamic';
    style-src 'self' 'unsafe-inline';
    object-src 'none';
    base-uri 'self';
    frame-ancestors 'none';
    block-all-mixed-content;
`;

javascript

Frequently asked questions

Report-Only or enforcing - which do I ship first?

When is `unsafe-inline` actually OK?

Nonces or hashes for inline scripts?