Strong protection against Clickjacking thanks to strict 'frame-ancestors', 'frame-src' and 'child-src'.

Strong protection against Formjacking thanks to strict 'form-action' and 'base-uri'.

'self' might host <a class="text-blue-500 font-medium hover:underline hover:text-blue-600" href="https://rapidsec.com/docs/csp-bypasses?utm_source=cspscanner&utm_medium=result_section" rel="noopener" target="_blank">CSP bypasses</a> (such as JSONP endpoints, legacy Angular or user uploaded files).

Missing 'child-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'default-src'. Well done!

Missing 'frame-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'manifest-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'media-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'object-src'. Well done!

Missing 'prefetch-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

Missing 'worker-src'. Falling back to 'default-src'. It's better to explicitly define this directive.

'none' is the strictest possible value for 'frame-ancestors'. Well done!

Strong CSP reporting thanks to 'report-sample'.

Add 'report-uri' directive to receive violation reports. <a class="text-blue-500 font-medium hover:underline hover:text-blue-600" href="https://rapidsec.com/projects/add?utm_source=cspscanner&utm_medium=report-uri" rel="noopener" target="_blank">Setup a free report-uri at RapidSec</a>

Missing 'report-sample'. It is important in order to have strong and rich CSP reporting like XSS advanced analysis.

Has CSP in enforcing mode which can protect client-side attacks like XSS, Clickjacking, Formjacking, Data Exfiltration and more.

Client-Side CSP Security Posture

Content Security Policy (CSP) Scanner