Skip to main content
Back to all posts
1 minAI SecurityMarch 19, 2026

The 30-Second CSP Check

Run this in your terminal and find out if your Content-Security-Policy is actually protecting you.

RM

Ryan Macomber

Founder, VibeSec Advisory

Quick test

Run this in your terminal:

curl -I https://yoursite.com | grep -i "content-security-policy"

What you want to see

content-security-policy: default-src 'self'; ...

What you do not want to see

Nothing at all

This means you have no CSP. Any script can run on your site.

Ready to apply the FORGE framework?

VibeSec Advisory helps knowledge worker teams redesign real processes using the six FORGE pillars: Baseline, Skills, Agents, Guardrails, Schedule, and Capture. The next step is advisory intake, not checkout.

Get the Starter Kit Common Questions

unsafe-inline

This weakens your CSP. Attackers can inject inline scripts.

unsafe-eval

This allows eval() calls. Rarely needed and dangerous.

Asterisks

script-src * means scripts from anywhere. Not great.

The ideal CSP

Content-Security-Policy:
  default-src 'self';
  script-src 'self';
  style-src 'self';
  img-src 'self' data:;
  font-src 'self';
  connect-src 'self';
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

Start strict. Relax only what you need.

Why bother

CSP stops XSS attacks. Even if an attacker injects a script, the browser will not run it.

It is your last line of defense.

If your CSP check failed, we can help. Book a FORGE session

Previous

Why Your Website Needs X-Frame-Options

Next

AI Wrote Your Code. Now Secure It.

Related Posts

AI Security7 min

Why Scanners Miss What Humans Catch

Automated security scanners are useful, but they miss the vulnerabilities that actually get exploited. Here is what scanners cannot find and why human security review still matters.

Read post
AI Security8 min

AI Models Are Getting Better at Finding Bugs. That Does Not Replace Security Expertise.

Frontier AI models are getting better at finding vulnerabilities. Some can now catch zero-days in mature codebases. Here is why that makes human security expertise more important, not less.

Read post
AI Security9 min

Amp Security Deep Dive: The Coding Agent That Redacts Your Secrets

Amp is the only major AI coding agent with built-in secret redaction. It also sends your code to seven different AI providers. Here is what you need to know before using it.

Read post

AI Workflows Weekly

Practical notes on governed AI workflows, guardrails, and safer automation. No spam, unsubscribe anytime.

By subscribing, you agree to receive marketing emails from VibeSec Advisory. You can unsubscribe at any time. Privacy Policy

Ready to apply the FORGE framework to your team?

Map your first process in 10 minutes and get deliverables within 48 hours. No call required.

Map Your ProcessCommon Questions

Cookieless analytics only. No ad tracking. Privacy