Security headers · Check
CSP is missing both script-src and default-src — adding a baseline
Your CSP defines neither `script-src` nor `default-src`, so script loading falls back to no restriction. The header is technically present but provides essentially no protection against injected JavaScript.
Why it matters
At minimum, set `default-src 'self'` so script (and other resource) loading is constrained to your own origin. Then add explicit `script-src` for any external script sources you actually need.
Real-world risk
Without script-src or default-src, the CSP imposes essentially no script restrictions and provides only marginal protection.
Fix steps (in order)
- Add default-src 'self' as a baseline so all resource types restrict to your origin by default.
- Add explicit script-src for any external script sources you actually need.
- Re-test the page in browser devtools (Console → CSP violations) to find anything you've missed before tightening further.
Topic explainer
What is Content Security Policy (CSP)? A practical explainer →
An accessible explanation of Content Security Policy: what it does, why it exists, the directives that matter, and how to roll one out without breaking your app.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (csp_missing_script_default) clears once the externally-observable signal is in place.