Skip to main content

Fix Guides

How to Fix a Missing Content Security Policy (CSP)

Add a CSP that blocks injected scripts without breaking your site.

Quick fix

To fix a missing CSP, add a Content-Security-Policy header that allowlists the sources your site legitimately loads. Start in report-only mode (Content-Security-Policy-Report-Only), review violations, tighten the policy, then enforce it. Re-scan to confirm.

A missing Content Security Policy means the browser will run any script that ends up on your page, including injected ones — the core of most XSS attacks. Adding a CSP tells the browser exactly which sources are allowed. The safe way to deploy one is gradually, which this guide walks through.

Check your website

See how your site handles how to fix a missing content security policy (csp) — free, no account needed.

Business impact

Cross-site scripting is one of the most common and damaging web vulnerabilities — it can steal sessions, card details and credentials. A CSP is a strong, browser-enforced defence. For any site handling logins or payments, a well-built CSP is a meaningful reduction in real risk and a signal of a professionally secured site.

Why this happens

CSP is missing because it is not on by default and is genuinely fiddly to get right — a careless policy breaks scripts, styles or widgets. Common causes: never configured; or a previous attempt broke the site and was rolled back. Sites using many third-party scripts (analytics, chat, payments) need those sources allowlisted, which is why a report-only rollout matters.

How to confirm the issue

Manually: check response headers in DevTools → Network for content-security-policy. The browser console will also log CSP violations once a policy is active.

With Plexa Trust: run a scan and look for "Missing Content-Security-Policy". After deploying and enforcing your policy, re-scan to confirm it clears.

Step-by-step fix

  1. Inventory every script, style, image, font and frame source your site loads.

  2. Deploy a starter policy in Content-Security-Policy-Report-Only mode.

  3. Collect violation reports (browser console or a reporting endpoint) for a few days.

  4. Replace unsafe-inline with nonces or hashes and tighten the allowlist.

  5. Switch from Report-Only to the enforcing Content-Security-Policy header.

  6. Re-scan and monitor the console for breakage.

Platform-specific fixes

Cloudflare

Use Transform Rules to add a response header.

  1. Rules → Transform Rules → Modify Response Header.

  2. Add Content-Security-Policy-Report-Only first with your starter policy.

  3. Once validated, add the enforcing Content-Security-Policy header.

Apache

In your virtual host or .htaccess (mod_headers):

  1. Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'"

  2. Reload Apache after testing.

Nginx

In the HTTPS server block:

  1. add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-ancestors 'self'" always;

  2. Run nginx -t and reload.

WordPress

  1. Use a security-headers plugin that supports CSP, or add the header in your theme/server.

  2. Expect to allowlist sources for your theme, plugins and any embedded services.

  3. Test thoroughly — CSP frequently blocks plugin scripts until allowlisted.

How to verify the fix

  • Always start in Report-Only mode to catch breakage safely.

  • Avoid unsafe-inline/unsafe-eval; use nonces or hashes instead.

  • Re-scan with Plexa Trust and confirm "Missing Content-Security-Policy" is cleared.

Common mistakes

  • Copy-pasting someone else's CSP and breaking your scripts or checkout.

  • Shipping a policy with unsafe-inline, which defeats much of the protection.

  • Enforcing immediately without a report-only phase.

Frequently asked questions

What is a CSP?

A Content Security Policy is a response header that tells the browser which sources of scripts, styles and other content are allowed, blocking injected or unauthorised resources.

Why not just enforce a CSP straight away?

A too-strict policy can break legitimate scripts and styles. Report-only mode lets you see what would break before it actually does.

What is a good starter policy?

Something like default-src 'self'; object-src 'none'; frame-ancestors 'self', then expand to allowlist the third-party sources you genuinely use.

How do I handle inline scripts?

Use a per-request nonce or a hash of the script, and reference it in the policy, instead of unsafe-inline.

Does CSP stop all XSS?

No single control does, but a strong CSP significantly reduces the impact of XSS by blocking unauthorised script execution.

Will CSP slow my site?

No meaningful performance cost. It is a header the browser enforces; the effort is in configuration, not runtime speed.

How do I collect violation reports?

Add a report-to/report-uri directive pointing to an endpoint, or simply watch the browser console during testing.

How do I confirm it worked?

Re-scan with Plexa Trust and check the enforcing header is present. The "Missing Content-Security-Policy" finding should clear.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring