Security headers · Check
CSP object-src is set but not 'none' — disabling plugin content
Your CSP defines `object-src` but does not lock it down to `'none'`. That allows `<object>`, `<embed>`, and `<applet>` content from the listed sources — surface area that modern web apps almost never need.
Why it matters
Set `object-src 'none'` to disable plugin content entirely. The directive does not inherit from `default-src` reliably across all browsers, so the explicit value is worth keeping.
Real-world risk
Allowing object-src loading enables plugin content (<object>, <embed>, <applet>) from the listed sources — surface area that modern apps don't need and attackers can sometimes leverage for bypasses.
Fix steps (in order)
- Set object-src 'none' to disable plugin content entirely.
- Keep the directive explicit even if default-src is 'none'; some browsers handle inheritance inconsistently for object-src.
Topic explainer
What is Content Security Policy (CSP)? A practical explainer →
An accessible explanation of Content Security Policy: what it does, why it exists, the directives that matter, and how to roll one out without breaking your app.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (csp_object_src_open) clears once the externally-observable signal is in place.