HomeFix guides → CSP quality (no unsafe-inline / wildcards)

security

How to fix: CSP quality (no unsafe-inline / wildcards)

OWASP A05 NIS2 Art. 21(2)(a)

Why this matters

'unsafe-inline' and 'unsafe-eval' in a CSP essentially disable the XSS protection it was meant to provide. Modern alternatives — nonces or hashes — give you the same flexibility without the safety hole.

Background

A present CSP doesn't mean a useful CSP. The common failure modes — 'unsafe-inline' on script-src, wildcard sources (https:, *.googleapis.com), missing frame-ancestors, no report-uri — defeat the purpose. Use nonces or hashes, allow specific sub-origins only, and deploy in Report-Only mode before enforcing.

References

OWASP A05 · CSP Level 3 footguns (Google's CSP Evaluator)

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
Replace 'unsafe-inline' with 'nonce-{nonce}'; replace https: wildcard with explicit sub-origins; add object-src 'none'; base-uri 'self'; frame-ancestors 'self'.
apache
Same edits as nginx; use Header always edit Content-Security-Policy for in-place rewrites.
cloudflare
Re-author the policy; use webauditfix.com/tools/csp-generator to draft a clean one from the third-parties you actually use.
wordpress
Remove themes that inject inline <script> tags or move them behind a nonce; many cheap themes are the source of the 'unsafe-inline' need.
flask
Use Flask-Talisman's content_security_policy_nonce_in=['script-src', 'style-src'] and pass {{ csp_nonce() }} into your templates.
express
helmet.contentSecurityPolicy() with explicit directives — never the default which permits 'unsafe-inline' through legacy.
rails
SecureHeaders.use_secure_headers_override(request, :strict); customise per-controller.

Verify it's working

Paste your header into webauditfix.com/tools/csp-checker — it will flag every footgun.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →