Skip to content
← Back to Vulnerability Database
HIGHCWE-1021Security Headers

Missing Content Security Policy

Description

Your app does not send a Content-Security-Policy header, leaving it vulnerable to XSS and data injection attacks.

How Vezraa Detects It

We fetch your app's HTTP response headers and check for the presence and validity of the CSP header.

Real-World Impact

Any XSS vulnerability becomes trivially exploitable — attackers can exfiltrate cookies, session tokens, and sensitive data.

Fix Example

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;

Affected Stacks

All web apps

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Missing Content Security Policy — Vulnerability Database | Vezraa