Back to all posts
1 minQuick TipsMarch 19, 2026

The 30-Second CSP Check

Run this in your terminal and find out if your Content-Security-Policy is actually protecting you.

RM

Ryan Macomber

Founder, VibeSec Advisory

Quick test

Run this in your terminal:

curl -I https://yoursite.com | grep -i "content-security-policy"

What you want to see

content-security-policy: default-src 'self'; ...

What you do not want to see

Nothing at all

This means you have no CSP. Any script can run on your site.

Wondering if your site has this issue?

VibeSec runs a full 4-phase security assessment and gives you fix prompts you can paste into Claude or Cursor. $199/mo for unlimited scans.

Get Your Free Assessment

unsafe-inline

This weakens your CSP. Attackers can inject inline scripts.

unsafe-eval

This allows eval() calls. Rarely needed and dangerous.

Asterisks

script-src * means scripts from anywhere. Not great.

The ideal CSP

Content-Security-Policy:
  default-src 'self';
  script-src 'self';
  style-src 'self';
  img-src 'self' data:;
  font-src 'self';
  connect-src 'self';
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

Start strict. Relax only what you need.

Why bother

CSP stops XSS attacks. Even if an attacker injects a script, the browser will not run it.

It is your last line of defense.

If your CSP check failed, we can help. Get your free full security assessment

Previous

Why Your Website Needs X-Frame-Options

Next

AI Wrote Your Code. Now Secure It.

Related Posts

AI Security12 min

MCP Tool Poisoning: How AI Coding Assistants Get Hijacked Through the Tools You Install

We tested 6 MCP attack scenarios against AI coding assistants. All 6 were fully exploitable. Here's what we found and how to protect yourself.

Read post
Security Strategy8 min

Why Not Just Use an Automated Scanner?

Automated scanners find known vulnerabilities fast. But they miss business logic flaws, context-dependent issues, and the AI-specific security gaps that matter most in vibe-coded apps.

Read post
AI Security3 min

The 6-Month Gap: Why AI Misses New Vulnerabilities

Your AI coding assistant was trained 6 months ago. New CVEs come out every day. That gap is where attackers live.

Read post

Weekly security tips

Actionable security insights for vibe coders, delivered every Thursday. No spam, unsubscribe anytime.

By subscribing, you agree to receive marketing emails from VibeSec Advisory. You can unsubscribe at any time. Privacy Policy

Wondering if your site has these issues?

Scan your app and get fix prompts you can paste into Claude or Cursor. Full 4-phase assessment for $199/mo.

Get Started — $199/mo