To fix a missing CSP, add a Content-Security-Policy header that allowlists the sources your site legitimately loads. Start in report-only mode (Content-Security-Policy-Report-Only), review violations, tighten the policy, then enforce it. Re-scan to confirm.
A missing Content Security Policy means the browser will run any script that ends up on your page, including injected ones — the core of most XSS attacks. Adding a CSP tells the browser exactly which sources are allowed. The safe way to deploy one is gradually, which this guide walks through.
Check your website
See how your site handles how to fix a missing content security policy (csp) — free, no account needed.
Business impact
Cross-site scripting is one of the most common and damaging web vulnerabilities — it can steal sessions, card details and credentials. A CSP is a strong, browser-enforced defence. For any site handling logins or payments, a well-built CSP is a meaningful reduction in real risk and a signal of a professionally secured site.
Why this happens
CSP is missing because it is not on by default and is genuinely fiddly to get right — a careless policy breaks scripts, styles or widgets. Common causes: never configured; or a previous attempt broke the site and was rolled back. Sites using many third-party scripts (analytics, chat, payments) need those sources allowlisted, which is why a report-only rollout matters.
How to confirm the issue
Manually: check response headers in DevTools → Network for content-security-policy. The browser console will also log CSP violations once a policy is active.
With Plexa Trust: run a scan and look for "Missing Content-Security-Policy". After deploying and enforcing your policy, re-scan to confirm it clears.
Step-by-step fix
Inventory every script, style, image, font and frame source your site loads.
Deploy a starter policy in
Content-Security-Policy-Report-Onlymode.Collect violation reports (browser console or a reporting endpoint) for a few days.
Replace
unsafe-inlinewith nonces or hashes and tighten the allowlist.Switch from Report-Only to the enforcing
Content-Security-Policyheader.Re-scan and monitor the console for breakage.
Platform-specific fixes
Cloudflare
Use Transform Rules to add a response header.
Rules → Transform Rules → Modify Response Header.
Add
Content-Security-Policy-Report-Onlyfirst with your starter policy.Once validated, add the enforcing
Content-Security-Policyheader.
Apache
In your virtual host or .htaccess (mod_headers):
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'"
Reload Apache after testing.
Nginx
In the HTTPS server block:
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-ancestors 'self'" always;
Run
nginx -tand reload.
WordPress
Use a security-headers plugin that supports CSP, or add the header in your theme/server.
Expect to allowlist sources for your theme, plugins and any embedded services.
Test thoroughly — CSP frequently blocks plugin scripts until allowlisted.
How to verify the fix
Always start in Report-Only mode to catch breakage safely.
Avoid
unsafe-inline/unsafe-eval; use nonces or hashes instead.Re-scan with Plexa Trust and confirm "Missing Content-Security-Policy" is cleared.
Common mistakes
Copy-pasting someone else's CSP and breaking your scripts or checkout.
Shipping a policy with
unsafe-inline, which defeats much of the protection.Enforcing immediately without a report-only phase.
Frequently asked questions
What is a CSP?
A Content Security Policy is a response header that tells the browser which sources of scripts, styles and other content are allowed, blocking injected or unauthorised resources.
Why not just enforce a CSP straight away?
A too-strict policy can break legitimate scripts and styles. Report-only mode lets you see what would break before it actually does.
What is a good starter policy?
Something like default-src 'self'; object-src 'none'; frame-ancestors 'self', then expand to allowlist the third-party sources you genuinely use.
How do I handle inline scripts?
Use a per-request nonce or a hash of the script, and reference it in the policy, instead of unsafe-inline.
Does CSP stop all XSS?
No single control does, but a strong CSP significantly reduces the impact of XSS by blocking unauthorised script execution.
Will CSP slow my site?
No meaningful performance cost. It is a header the browser enforces; the effort is in configuration, not runtime speed.
How do I collect violation reports?
Add a report-to/report-uri directive pointing to an endpoint, or simply watch the browser console during testing.
How do I confirm it worked?
Re-scan with Plexa Trust and check the enforcing header is present. The "Missing Content-Security-Policy" finding should clear.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan