Feature Value
Type Detection
Risk -
Covered by Agent

Application is not using CSP header properly. CSP stands for Content Security Policy.

This is a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type.

Content Security Policy (CSP) is a new(ish) technology put together by Mozilla that Web apps can use as an additional layer of protection against Cross-Site Scripting (XSS). This protection against XSS is the primary goal of CSP technology. A secondary goal to protect against Directives can be specified using an HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag. The HTTP headers below are defined by the specs:

Content-Security-Policy CSP Level 2 40+ Full January 2015 31+ Partial
July 2014
- -
Content-Security-Policy CSP 1.0 25+ 23+ 7+ Edge 12 build 10240+
X-Content-Security-Policy Deprecated - 4.0+ - 10+ Limited
X-Webkit-CSP Deprecated 14+ - 6+ -

Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviors on certain versions of browsers. Please avoid using deprecated X-* headers.

More information

How to solve it

It is always a good security practice to send a proper value for this header

CSP seems to be free from having any downside. It is there to make sites safer, and even if a client browser does not support it, it is entirely backwards-compatible, so your site will not break for the client.