How to Fix “Content Security Policy (CSP) Header Not Set” Vulnerability – Complete Guide
How to Fix “Content Security Policy (CSP) Header Not Set
Content Security Policy (CSP) is one of the important security headers that we use to protect our websites from different types of attacks.
If a website does not have a proper CSP header, attackers may take advantage of security weaknesses such as Cross-Site Scripting (XSS) attacks and can inject malicious scripts into the website.
In my case, I work on government websites, so securing the application is a major responsibility. We need to be very careful while implementing security changes because even a small mistake can affect the complete website functionality.
During security audits, CSP issues are one of the common findings. I have faced this issue many times while resolving security audit reports. The challenging part is that if we apply an incorrect CSP policy, website resources like images, CSS files, JavaScript files, fonts, and other design elements may stop loading properly.
For example, if the CSP header blocks a required CSS or JavaScript source, the website design may break or some functionality may not work as expected.
Currently, I am working on a CodeIgniter 3 application, which is a PHP framework. In CodeIgniter applications, we can implement CSP headers in different ways. Sometimes, we add CSP rules in the .htaccess file to apply security headers at the server level.

ifModule mod_headers.c>
Header set Content-Security-Policy “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://www.google.com https://www.gstatic.com; style-src ‘self’ ‘unsafe-inline’ https://fonts.googleapis.com; font-src ‘self’ https://fonts.gstatic.com data:; img-src ‘self’ data: https:; connect-src ‘self’ https: wss:; frame-src ‘self’ https://www.google.com; object-src ‘none’; base-uri ‘self’; form-action ‘self’;”
</ifModule>
But while adding CSP, we need to analyze the website requirements properly because every website uses different resources. A strict CSP improves security, but an incorrect configuration can break the application’s UI and functionality.
The best approach is to first test CSP changes in a development or testing environment, check all website components, and then apply them to the production environment.
Security headers like CSP play an important role in making websites more secure and reducing vulnerabilities reported during security audits.
How to Check Content Security Policy (CSP) Header
After implementing the CSP header, we can verify whether it is working correctly from the browser developer tools.
To check the CSP header:
- Open your website in the browser.
- Press F12 or right-click → Inspect.
- Go to the Network tab.
- Reload the website page.
- Click on the main website request (usually the first request).
- Go to the Headers section.
- Under Response Headers, check for:
CSP is supported across various technologies and platforms, including:
- PHP
- CodeIgniter
- Laravel
- Node.js
- ASP.NET
- Java
- Python
- WordPress
- Apache Server
- Nginx Server
Understanding Security Testing Tools
Ofcousres this csp also detect on sonar and fortify tools
Before fixing this issue, let’s understand the tools that report these warnings: Fortify and SonarQube
SonarQube and Fortify are code analysis tools used in software development to identify issues in applications and improve the overall quality and security of the code.
SonarQube:
SonarQube mainly focuses on code quality, maintainability, code smells, bugs, and improving the overall structure of the application.
Fortify:
Fortify focuses more on application security by identifying vulnerabilities, security risks, and compliance-related issues in the code.
In simple terms, SonarQube helps us write cleaner and maintainable code, while Fortify helps us make the application more secure by finding potential security vulnerabilities.
Conclusion
“Content Security Policy (CSP) Header Not Set” is a serious security vulnerability that should not be ignored.
By implementing a properly configured CSP Header:
- Your website security is strengthened
- The risk of XSS (Cross-Site Scripting) attacks is reduced
- User data and sensitive information are better protected
- Security audit compliance and assessment scores can be improved
Implementing CSP is an important step toward building a safer and more secure web application.
