HomeFix guides → Content-Security-Policy (NIS2 technical measure)

nis2

How to fix: Content-Security-Policy (NIS2 technical measure)

NIS2 Art. 21(2)(a)

Why this matters

Content-injection mitigation is part of NIS2's expected cybersecurity hygiene. A CSP demonstrates technical control over what third-party resources can execute on your pages.

Background

NIS2 Art. 21 requires technical measures to secure ICT systems. Content-Security-Policy is the highest-leverage of those (neutralises XSS impact). The header check itself is identical to security.csp — this check just surfaces it under the NIS2 compliance heading for the audit report.

References

NIS2 Art. 21(2)(a) — security of network and information systems · MDN CSP

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
Same as security.csp. add_header Content-Security-Policy "default-src 'self'; ..." always;
apache
Same.
cloudflare
Same.
wordpress
Same — WP Headers Security Advanced plugin OR functions.php.
flask
Same.
express
Same — helmet.contentSecurityPolicy().
rails
Same.

Verify it's working

curl -sI https://your-site/ | grep -i content-security-policy

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →