Missing or Permissive Content-Security-Policy HTTP Response Header

Nessus Output

Synopsis :

The remote web server does not take steps to mitigate a class of web
application vulnerabilities.

Description :

The remote web server in some responses sets a permissive
Content-Security-Policy (CSP) response header or does not set one at

The CSP header has been proposed by the W3C Web Application Security
Working Group as a way to mitigate cross-site scripting and
clickjacking attacks.


You can verify your website via: https://securityheaders.io