Skip to main content
Back to all posts
1 minAI SecurityMarch 19, 2026

The 30-Second CSP Check

Run this in your terminal and find out if your Content-Security-Policy is actually protecting you.

RM

Ryan Macomber

Founder, VibeSec Advisory

Quick test

Run this in your terminal:

curl -I https://yoursite.com | grep -i "content-security-policy"

What you want to see

content-security-policy: default-src 'self'; ...

What you do not want to see

Nothing at all

This means you have no CSP. Any script can run on your site.

Keep reading with free field-guide resources.

VibeSec Advisory publishes practical research, Skills, workflow examples, MCP notes, prompt injection tests, and AI red-team lessons for builders working with agentic AI.

unsafe-inline

This weakens your CSP. Attackers can inject inline scripts.

unsafe-eval

This allows eval() calls. Rarely needed and dangerous.

Asterisks

script-src * means scripts from anywhere. Not great.

The ideal CSP

Content-Security-Policy:
  default-src 'self';
  script-src 'self';
  style-src 'self';
  img-src 'self' data:;
  font-src 'self';
  connect-src 'self';
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

Start strict. Relax only what you need.

Why bother

CSP stops XSS attacks. Even if an attacker injects a script, the browser will not run it.

It is your last line of defense.


If your CSP check failed, we can help. browse the Skill Library

AI Workflows Weekly

Read the archive

Practical notes on governed AI workflows, guardrails, and safer automation. No spam, unsubscribe anytime.

First-party signup with double opt-in. No embedded newsletter iframe, no analytics cookies, and unsubscribe anytime.

Keep testing agentic AI risk.

VibeSec Advisory is a free field guide. Use the research archive, Skill Library, and workflow examples to keep improving what you are building.