Quick test
Run this in your terminal:
curl -I https://yoursite.com | grep -i "content-security-policy"
What you want to see
content-security-policy: default-src 'self'; ...
What you do not want to see
Nothing at all
This means you have no CSP. Any script can run on your site.
Keep reading with free field-guide resources.
VibeSec Advisory publishes practical research, Skills, workflow examples, MCP notes, prompt injection tests, and AI red-team lessons for builders working with agentic AI.
unsafe-inline
This weakens your CSP. Attackers can inject inline scripts.
unsafe-eval
This allows eval() calls. Rarely needed and dangerous.
Asterisks
script-src * means scripts from anywhere. Not great.
The ideal CSP
Content-Security-Policy:
default-src 'self';
script-src 'self';
style-src 'self';
img-src 'self' data:;
font-src 'self';
connect-src 'self';
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
Start strict. Relax only what you need.
Why bother
CSP stops XSS attacks. Even if an attacker injects a script, the browser will not run it.
It is your last line of defense.
If your CSP check failed, we can help. browse the Skill Library