Fix Guide

How to Fix a Missing CSP Header

The response has no Content-Security-Policy header.

Safe public URL scan. Results include technology evidence, SEO checks, security headers, accessibility basics, and a developer fix list.

Recommended fix

Start with a report-only CSP, inventory third-party scripts, then enforce a tested policy.

This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.

Developer task

Add Content-Security-Policy at Nginx/CDN/server level and monitor violations before strict enforcement.

Implementation steps

How to apply this fix

  1. Inventory every script, style, font, image, and connect origin the site loads.
  2. Deploy Content-Security-Policy-Report-Only with a draft policy and a report endpoint.
  3. Review violation reports and add legitimate sources until the policy is clean.
  4. Switch to an enforcing Content-Security-Policy header at the CDN/server/Nginx layer.
  5. Re-scan to confirm CSP is present and monitor for regressions after deploys.
Verify

Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.

Related guides

Continue the same website quality workflow.