Content Security Policy

The scanner inspects the Content-Security-Policy response header on the homepage, parses each directive, and reports which directives are declared, whether a nonce or hash strategy is in use, and which common risky sources (unsafe-inline, unsafe-eval, data:) are present on script-src.

CSP reduces script injection blast radius and documents trusted execution surfaces.

Content-Security-Policy

default-src 'self'; script-src 'self' 'nonce-…'; object-src 'none'; …

Uses per-request nonce

yes

script-src includes 'unsafe-inline'

no

script-src includes 'unsafe-eval'

no

frame-ancestors

'none'

1. 01

   Ship a Content-Security-Policy header on every HTML response — start in Report-Only mode if the site has never had one.

2. 02

   Prefer per-request nonces over 'unsafe-inline' for script-src. Nonces are generated server-side and attached to every <script> tag.

3. 03

   Declare object-src 'none' and base-uri 'self' explicitly. Both are cheap wins and commonly overlooked.

4. 04

   Use frame-ancestors 'none' (or a specific allowlist) instead of the legacy X-Frame-Options header.

Do I need a CSP if my site has no user-generated content?

Yes. CSP is a defense-in-depth posture, not just a reaction to UGC. A single compromised dependency or third-party script can inject code anywhere; a strict script-src turns that exploit into a noisy violation instead of a silent compromise.

Can I use 'unsafe-inline' as a shortcut?

You can, but the check will flag it. Most real-world CSP bypasses exploit 'unsafe-inline'. The modern answer is per-request nonces generated by the Worker or origin server, or hashes for a static set of inline scripts.

Should I start in Report-Only mode?

For established sites with a lot of surface area, yes — ship Content-Security-Policy-Report-Only first, watch the reports roll in for a week, fix violations, then promote to the enforcing header.