How to fix a missing or weak Content Security Policy (CSP)
Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.
What it is
Content-Security-Policy (CSP) is a response header that tells the browser which sources of scripts, styles, images, and other resources are allowed to load. It reduces the impact of XSS and data injection by restricting where content can come from.
Why it matters
Without CSP, a single XSS or injected script can load and run any code. CSP limits the damage by blocking unauthorized scripts and inline code. A well-configured CSP is a strong defense-in-depth measure.
How to fix it
- 1
Start with report-only (optional)
Use Content-Security-Policy-Report-Only first to see what would be blocked without enforcing. Fix violations, then switch to enforcing CSP.
- 2
Set default-src
default-src defines the fallback for most directives. Use 'self' to allow same-origin only, and add specific sources for scripts, styles, and images as needed.
- 3
Restrict script-src
script-src controls where JavaScript can load from. Avoid 'unsafe-inline' and 'unsafe-eval' when possible; use nonces or hashes for inline scripts.
- 4
Add frame-ancestors for clickjacking
frame-ancestors limits who can embed your site in an iframe. Use 'none' or 'self' to prevent clickjacking.
- 5
Deploy and verify
Deploy the header, test your site, and run a CSP checker or Barrion security scan to confirm the policy is present and effective.
Examples by platform
Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;"Check your site
Run Barrion's free security headers check to see if this finding applies to your app and get a full report.
Run free check →
