Fix
Content Security Policy (CSP)
CSP reduces XSS risk by controlling which sources can load scripts, styles, images, and more.
InfoCategory: headers
Recommended rollout path
- Start with Content-Security-Policy-Report-Only to collect violations.
- Tighten gradually: remove unsafe-inline, use nonces/hashes.
- Move to enforcing CSP once stable.
Starter CSP example (placeholder — customize)
Example
Content-Security-Policy: default-src 'self'; img-src 'self' https: data:; script-src 'self'; style-src 'self' 'unsafe-inline'