Question 1

What is the "Missing CSP header" check?

Accepted Answer

No Content-Security-Policy header. Browsers and users expect sites to be secure. Missing protections expose visitors to data theft, phishing, and loss of trust.

Question 2

How do I fix "Missing CSP header"?

Accepted Answer

Add Content-Security-Policy header: # Nginx — add inside your server {} block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'" always;

# Apache — add to .htaccess or <VirtualHost>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'"

Missing CSP header

Why it matters

How to fix

Related checks in Security

SSL certificate expired

Certificate expiring soon

Certificate expiring

No HTTPS redirect

Mixed content

Run a free scan to check your site