A Content Security Policy is an allowlist you send in a response header telling the browser exactly which sources are allowed to load scripts, styles, images, and other content on your page — anything not on the list gets blocked automatically.
CSP prevents cross-site scripting (XSS) by telling browsers which scripts are allowed to run on your page. Without it, any injected script executes freely — the most common client-side attack.
The CSP header is enforced (not report-only), your site functions normally, and browser console shows no CSP violations on a full page load.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →