Fix Guide
How to Fix a Missing CSP Header
The response has no Content-Security-Policy header.
Recommended fix
Start with a report-only CSP, inventory third-party scripts, then enforce a tested policy.
This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.
Developer task
Add Content-Security-Policy at Nginx/CDN/server level and monitor violations before strict enforcement.
Implementation steps
How to apply this fix
- Inventory every script, style, font, image, and connect origin the site loads.
- Deploy Content-Security-Policy-Report-Only with a draft policy and a report endpoint.
- Review violation reports and add legitimate sources until the policy is clean.
- Switch to an enforcing Content-Security-Policy header at the CDN/server/Nginx layer.
- Re-scan to confirm CSP is present and monitor for regressions after deploys.
Verify
Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.
Related guides