Content Security Policy header is present
Why it matters
Without a Content Security Policy, browsers trust every script origin a page loads — including any injected by XSS. An attacker who finds a single injection point can exfiltrate session cookies, rewrite page content, or silently redirect users, because there is no browser-enforced allowlist to stop arbitrary script execution. OWASP A03 (Injection) and CWE-79 (Cross-Site Scripting) both identify missing CSP as a failure to implement available defenses. A Content-Security-Policy-Report-Only header monitors but enforces nothing — it does not satisfy this check. Even a minimal CSP with default-src 'self' eliminates an entire class of exfiltration attacks by blocking off-origin resource loads.
Severity rationale
High because the absence of an enforcing CSP leaves XSS attacks completely unrestricted — any injection vulnerability directly enables session hijacking, credential theft, or defacement.
Remediation
Add an enforcing Content-Security-Policy header to your HTTP responses. Start with a restrictive baseline and loosen only what your app needs:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:
In Next.js next.config.js, add to the headers() array:
{ key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'" }
Test your policy with the CSP Evaluator at https://csp-evaluator.withgoogle.com/ before enforcing. Start in Report-Only mode if you have existing third-party scripts — collect violations, then promote to enforcing.
Detection
-
ID:
csp-header -
Severity:
high -
What to look for: Before evaluating, extract and quote the exact
Content-Security-Policyheader value from the response. Count the number of CSP directives present (e.g.,default-src,script-src,style-src). Also check forContent-Security-Policy-Report-Only— note its presence but it does not satisfy this check alone. -
Detector snippet (shell-capable tools only): If
curlis available, fetch HEAD against$BASE_URLand inspect the response headers forContent-Security-Policy. If the header is present with at least one directive, pass. If missing or onlyContent-Security-Policy-Report-Onlyis present, fail. Exit >=2 / command not found — fall back to prose reasoning.curl -sS -I $BASE_URL/ -
Pass criteria:
Content-Security-Policyheader exists in the response with at least 1 directive. The header value must be non-empty and contain a recognizable CSP directive (e.g.,default-src,script-src). Report the number of directives found. -
Fail criteria: No
Content-Security-Policyheader in the response, or the header value is empty or contains no valid CSP directives. -
Do NOT pass when: Only
Content-Security-Policy-Report-Onlyis present without an accompanying enforcingContent-Security-Policyheader. Report-only mode monitors but does not protect. -
Skip (N/A) when: The response is not HTML (e.g., the response
Content-Typeisapplication/jsonortext/plain). -
Cross-reference: For deeper CSP analysis including directive-level evaluation, the Security Headers audit (
security-headers) provides comprehensive header coverage. -
Detail on fail:
"No Content-Security-Policy header found in response" -
Remediation: CSP prevents cross-site scripting (XSS) by controlling which sources browsers allow for scripts, styles, and other resources. Start with a basic policy:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'For Next.js, configure in
next.config.jsunderheaders(). Test your policy at https://csp-evaluator.withgoogle.com/ before enforcing.
External references
- cwe · CWE-79 — Improper Neutralization of Input During Web Page Generation (XSS)
- owasp:2021 · A03 — Injection
Taxons
History
- 2026-04-18·v1.0.0·Initial import from site-health-check·automated
- 2026-04-20·v1.1.0·Add Phase 6.0 detect-curl snippet for deterministic CSP header probe·by cakleinman