WebX Auditor

Content-Security-Policy header present

A Content-Security-Policy header is the primary defense against cross-site scripting (XSS) and data injection, restricting which sources scripts, styles and frames may load from. Most government sites ship without one.

Security OWASP ASVS V14.4.3 (Content Security Policy) Advanced Security Audit
In short

No Content-Security-Policy header — the page lacks the primary defense against XSS. This check is fully automated — the scanner returns a definitive pass or fail.

How to fix it

Add a Content-Security-Policy response header. Tune it first with Content-Security-Policy-Report-Only, then enforce a restrictive policy (e.g. default-src 'self').

Standards this maps to

Frameworks that require this

Advanced Security Audit

Severity

warning — an important issue to address.

Scans this and 300+ other checks across accessibility, SEO, security & speed — first audit free.

Related checks

Contingency Management PlanData ProtectionSQL Injection ProtectionXSS Protection (CSP preferred over X-XSS-Protection)CSRF Token ValidationSecure File UploadInput ValidationTLS 1.2+ EnforcementSecurity Headers CSP and HSTSCookie Security Flags