Without a Content Security Policy, browsers trust every script origin a page loads — including any injected by XSS. An attacker who finds a single injection point can exfiltrate session cookies, rewrite page content, or silently redirect users, because there is no browser-enforced allowlist to stop arbitrary script execution. OWASP A03 (Injection) and CWE-79 (Cross-Site Scripting) both identify missing CSP as a failure to implement available defenses. A Content-Security-Policy-Report-Only header monitors but enforces nothing — it does not satisfy this check. Even a minimal CSP with default-src 'self' eliminates an entire class of exfiltration attacks by blocking off-origin resource loads.
High because the absence of an enforcing CSP leaves XSS attacks completely unrestricted — any injection vulnerability directly enables session hijacking, credential theft, or defacement.
Add an enforcing Content-Security-Policy header to your HTTP responses. Start with a restrictive baseline and loosen only what your app needs:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:
In Next.js next.config.js, add to the headers() array:
{ key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'" }
Test your policy with the CSP Evaluator at https://csp-evaluator.withgoogle.com/ before enforcing. Start in Report-Only mode if you have existing third-party scripts — collect violations, then promote to enforcing.
ID: site-health-check.security-posture.csp-header
Severity: high
What to look for: Before evaluating, extract and quote the exact Content-Security-Policy header value from the response. Count the number of CSP directives present (e.g., default-src, script-src, style-src). Also check for Content-Security-Policy-Report-Only — note its presence but it does not satisfy this check alone.
Detector snippet (shell-capable tools only): If curl is available, fetch HEAD against $BASE_URL and inspect the response headers for Content-Security-Policy. If the header is present with at least one directive, pass. If missing or only Content-Security-Policy-Report-Only is present, fail. Exit >=2 / command not found — fall back to prose reasoning.
curl -sS -I $BASE_URL/
Pass criteria: Content-Security-Policy header exists in the response with at least 1 directive. The header value must be non-empty and contain a recognizable CSP directive (e.g., default-src, script-src). Report the number of directives found.
Fail criteria: No Content-Security-Policy header in the response, or the header value is empty or contains no valid CSP directives.
Do NOT pass when: Only Content-Security-Policy-Report-Only is present without an accompanying enforcing Content-Security-Policy header. Report-only mode monitors but does not protect.
Skip (N/A) when: The response is not HTML (e.g., the response Content-Type is application/json or text/plain).
Cross-reference: For deeper CSP analysis including directive-level evaluation, the Security Headers audit (security-headers) provides comprehensive header coverage.
Detail on fail: "No Content-Security-Policy header found in response"
Remediation: CSP prevents cross-site scripting (XSS) by controlling which sources browsers allow for scripts, styles, and other resources. Start with a basic policy:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
For Next.js, configure in next.config.js under headers(). Test your policy at https://csp-evaluator.withgoogle.com/ before enforcing.