How to Fix “Content Security Policy (CSP) Header Not Set” Vulnerability – Complete Guide
Nowadays website security is very important. One common security issue found in security scans is:
“Content Security Policy (CSP) Header Not Set”
If your website does not have a CSP header, attackers may inject malicious scripts into your website using XSS (Cross-Site Scripting) attacks.
In this blog, we will understand:
- What is CSP?
- Why do we need it?
- Can it be used in all programming languages?
- How to implement it?
- Pros and Cons of CSP
Top 5 Important Questions About CSP
1. What is Content Security Policy (CSP)?
Content Security Policy (CSP) is a security header used to protect websites from cyber attacks like:
- Cross-Site Scripting (XSS)
- Data Injection Attacks
- Malicious JavaScript Execution
CSP tells the browser:
“Only load trusted content from allowed sources.”
For example:
- Allow scripts only from your own website
- Block unknown external JavaScript
- Restrict inline scripts
Example:
Content-Security-Policy: default-src 'self';Meaning:
- Load resources only from the same domain.
2. Why Do We Need CSP?
Without CSP, attackers can inject harmful scripts into your website.
Example attack:
<script>alert('Hacked');</script>If CSP is enabled, the browser can block such unauthorized scripts.
Benefits of CSP
- Improves website security
- Prevents XSS attacks
- Protects user data
- Helps in security compliance
- Reduces risk of malicious content loading
3. Is CSP Only for PHP Websites?
No.
CSP is not limited to PHP.
It works with almost every technology because CSP is applied through HTTP response headers.
Supported Technologies
- PHP
- CodeIgniter
- Laravel
- Node.js
- ASP.NET
- Java
- Python Django
- WordPress
- Apache Server
- Nginx Server
Any website or web application can use CSP.
4. How to Apply CSP Header? (With Examples)
A) Apply CSP in PHP
header("Content-Security-Policy: default-src 'self';");B) Apply CSP in Apache (.htaccess)
Header set Content-Security-Policy "default-src 'self';"C) Apply CSP in Nginx
add_header Content-Security-Policy "default-src 'self';";D) Allow Trusted CDN Example
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com;This allows:
- Local scripts
- Cloudflare CDN scripts
5. What Are the Pros and Cons of CSP?
Pros of CSP
1. Strong Security
Protects websites from XSS attacks.
2. Prevents Unauthorized Scripts
Only trusted sources are allowed.
3. Improves User Trust
Users feel safer using secure websites.
4. Better Security Compliance
Helpful for security audits and penetration testing.
5. Reduces Data Theft Risk
Blocks malicious scripts that steal user information.
Cons of CSP
1. Initial Setup Complexity
Sometimes configuration can be difficult.
2. May Break Existing Scripts
Inline JavaScript may stop working.
3. Requires Testing
Need proper testing after implementation.
4. Third-Party Integrations
External plugins/CDNs may require additional permissions.
Real Example of CSP Protection
Suppose an attacker injects:
<script src="http://malicious-site.com/hack.js"></script>If your CSP only allows:
default-src 'self';Then the browser blocks the malicious script automatically.
Best Practice for CSP
Recommended Basic CSP
Content-Security-Policy:
default-src 'self';
script-src 'self' https:;
style-src 'self' https: 'unsafe-inline';
img-src 'self' data: https:;Conclusion
“Content Security Policy (CSP) Header Not Set” is a serious security vulnerability that should not be ignored.
By implementing CSP:
- Your website becomes more secure
- XSS attacks can be reduced
- User data remains safer
- Security audit scores improve
Every modern website should implement CSP headers properly.
Final Tip
Before applying CSP on a live website:
- Test in development environment
- Check browser console errors
- Gradually restrict resources
- Monitor blocked content
This helps avoid breaking your website functionality.
