Fix
Missing CSP
Add Content-Security-Policy to reduce XSS and risky third-party script execution.
InfoCategory: security
Related checks
What this means
Without a CSP, browsers have fewer guardrails against injected scripts. CSP is most effective when tailored to your real asset sources.
Fix steps (safe rollout)
- Start with Content-Security-Policy-Report-Only to collect violations without breaking pages.
- Allow only the domains you truly need for scripts/styles/images/fonts.
- Avoid 'unsafe-inline' when possible; prefer nonces/hashes once stable.
- Move from Report-Only to enforcing CSP after you confirm stability.
Verify
- Re-run Headers Check and confirm CSP (or CSP Report-Only) is present.
- Test key pages and user flows after deployment.
Recommended tools
These are optional helpers. We’ll later route these through our outbound wrapper and affiliate layer.
Next fixes