Missing Content-Security-Policy Response Header

Hey everyone:

Screaming Frog flagged this issue on my site. This is new to me and I'm not sure what I need to do to resolve it.

Any advice would be greatly appreciated.

From the report:

URLs that are missing the Content-Security-Policy response header. This header allows a website to control which resources are loaded for a page. This policy can help guard against cross-site scripting (XSS) attacks that exploit the browser's trust in the content received from the server. The SEO Spider only checks for the existence of the header, and does not interrogate the policies found within the header to determine whether they are well set up for the website. This should be performed manually.

How To Fix

Set a strict Content-Security-Policy response header across all pages to help mitigate cross-site scripting (XSS) and data injection attacks.

8 replies