HIGHCWE-1021Security Headers
Missing Content Security Policy
Description
Your app does not send a Content-Security-Policy header, leaving it vulnerable to XSS and data injection attacks.
How Vezraa Detects It
We fetch your app's HTTP response headers and check for the presence and validity of the CSP header.
Real-World Impact
Any XSS vulnerability becomes trivially exploitable — attackers can exfiltrate cookies, session tokens, and sensitive data.
Fix Example
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
Affected Stacks
All web apps