Nessus Output

Synopsis :

The remote web server does not take steps to mitigate a class of web
application vulnerabilities.

Description :

The remote web server in some responses sets a permissive
Content-Security-Policy (CSP) response header or does not set one at
all.

The CSP header has been proposed by the W3C Web Application Security
Working Group as a way to mitigate cross-site scripting and
clickjacking attacks.

Securityheaders

You can verify your website via: https://securityheaders.io

References

• https://content-security-policy.com/
• https://www.owasp.org/index.php/Content_Security_Policy
• Content Security Policy – An Introduction