nis2
How to fix: Content-Security-Policy (NIS2 technical measure)
NIS2 Art. 21(2)(a)
Why this matters
Content-injection mitigation is part of NIS2's expected cybersecurity hygiene. A CSP demonstrates technical control over what third-party resources can execute on your pages.
Background
NIS2 Art. 21 requires technical measures to secure ICT systems. Content-Security-Policy is the highest-leverage of those (neutralises XSS impact). The header check itself is identical to security.csp — this check just surfaces it under the NIS2 compliance heading for the audit report.
References
NIS2 Art. 21(2)(a) — security of network and information systems · MDN CSP
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
Same as security.csp. add_header Content-Security-Policy "default-src 'self'; ..." always;
apache
Same.
cloudflare
Same.
wordpress
Same — WP Headers Security Advanced plugin OR functions.php.
flask
Same.
express
Same — helmet.contentSecurityPolicy().
rails
Same.
Verify it's working
curl -sI https://your-site/ | grep -i content-security-policy
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →