[{"id":"699e8eb2496846fac56e6c1e","ts":"2026-02-25T05:54:58.482Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://delta3.fabulate.co/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self' blob: https://*.fabulate.co https://*.ibytedtos.com https://*.intercomcdn.com https://*.tiktokcdn.com; script-src 'self' 'unsafe-eval' http://*.google.com https://*.gstatic.com https://*.instagram.com https://*.youtube.com https://*.tiktok.com https://*.ttwstatic.com https://*.pusher.com https://*.stripe.com https://connect.facebook.net https://*.intercomcdn.com https://*.intercom.io https://*.i.posthog.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.gstatic.com https://*.ttwstatic.com; font-src 'self' data: https://fonts.gstatic.com https://*.intercomcdn.com https://*.fabulate.co; img-src 'self' data: blob: https://*.modash.io https://*.googleusercontent.com https://*.intercomassets.com https://*.intercomcdn.com https://*.fabulate.co https://*.fbcdn.net https://*.tiktokcdn.com https://unpkg.com https://cdn.jsdelivr.net; connect-src 'self' blob: data: https://*.google.com https://*.pusher.com wss://*.pusher.com https://*.i.posthog.com https://*.intercom.io wss://*.intercom.io https://*.intercom-messenger.com wss://*.intercom-messenger.com https://*.fabulate.co wss://*.fabulate.co https://graph.facebook.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com https://*.mongodb.com https://*.cloud.mongodb.com https://*.abstractapi.com https://api.ipify.org; frame-src https://*.google.com https://*.loom.com https://*.instagram.com https://*.tiktok.com https://*.stripe.com https://*.youtube.com https://player.vimeo.com https://widget.intercom.io; worker-src 'self' blob: https://cdnjs.cloudflare.com; object-src 'none'; base-uri 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'","blob:","data:","https://*.abstractapi.com","https://*.cloud.mongodb.com","https://*.fabulate.co","https://*.google.com","https://*.googleapis.com","https://*.googleusercontent.com","https://*.gstatic.com","https://*.i.posthog.com","https://*.intercom-messenger.com","https://*.intercom.io","https://*.mongodb.com","https://*.pusher.com","https://api.ipify.org","https://graph.facebook.com","wss://*.fabulate.co","wss://*.intercom-messenger.com","wss://*.intercom.io","wss://*.pusher.com"],"default-src":["'self'","blob:","https://*.fabulate.co","https://*.ibytedtos.com","https://*.intercomcdn.com","https://*.tiktokcdn.com"],"font-src":["'self'","data:","https://*.fabulate.co","https://*.intercomcdn.com","https://fonts.gstatic.com"],"frame-src":["https://*.google.com","https://*.instagram.com","https://*.loom.com","https://*.stripe.com","https://*.tiktok.com","https://*.youtube.com","https://player.vimeo.com","https://widget.intercom.io"],"img-src":["'self'","blob:","data:","https://*.fabulate.co","https://*.fbcdn.net","https://*.googleusercontent.com","https://*.intercomassets.com","https://*.intercomcdn.com","https://*.modash.io","https://*.tiktokcdn.com","https://cdn.jsdelivr.net","https://unpkg.com"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","http://*.google.com","https://*.gstatic.com","https://*.i.posthog.com","https://*.instagram.com","https://*.intercom.io","https://*.intercomcdn.com","https://*.pusher.com","https://*.stripe.com","https://*.tiktok.com","https://*.ttwstatic.com","https://*.youtube.com","https://cdnjs.cloudflare.com","https://connect.facebook.net"],"style-src":["'self'","'unsafe-inline'","https://*.gstatic.com","https://*.ttwstatic.com","https://fonts.googleapis.com"],"worker-src":["'self'","blob:","https://cdnjs.cloudflare.com"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","frame-src","worker-src","object-src","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","http://*.google.com":"host-source","https://*.abstractapi.com":"host-source","https://*.cloud.mongodb.com":"host-source","https://*.fabulate.co":"host-source","https://*.fbcdn.net":"host-source","https://*.google.com":"host-source","https://*.googleapis.com":"host-source","https://*.googleusercontent.com":"host-source","https://*.gstatic.com":"host-source","https://*.i.posthog.com":"host-source","https://*.ibytedtos.com":"host-source","https://*.instagram.com":"host-source","https://*.intercom-messenger.com":"host-source","https://*.intercom.io":"host-source","https://*.intercomassets.com":"host-source","https://*.intercomcdn.com":"host-source","https://*.loom.com":"host-source","https://*.modash.io":"host-source","https://*.mongodb.com":"host-source","https://*.pusher.com":"host-source","https://*.stripe.com":"host-source","https://*.tiktok.com":"host-source","https://*.tiktokcdn.com":"host-source","https://*.ttwstatic.com":"host-source","https://*.youtube.com":"host-source","https://api.ipify.org":"host-source","https://cdn.jsdelivr.net":"host-source","https://cdnjs.cloudflare.com":"host-source","https://connect.facebook.net":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://graph.facebook.com":"host-source","https://player.vimeo.com":"host-source","https://unpkg.com":"host-source","https://widget.intercom.io":"host-source","wss://*.fabulate.co":"host-source","wss://*.intercom-messenger.com":"host-source","wss://*.intercom.io":"host-source","wss://*.pusher.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' blob: https://*.fabulate.co https://*.ibytedtos.com https://*.intercomcdn.com https://*.tiktokcdn.com; script-src 'self' 'unsafe-eval' http://*.google.com https://*.gstatic.com https://*.i.posthog.com https://*.instagram.com https://*.intercom.io https://*.intercomcdn.com https://*.pusher.com https://*.stripe.com https://*.tiktok.com https://*.ttwstatic.com https://*.youtube.com https://cdnjs.cloudflare.com https://connect.facebook.net; style-src 'self' 'unsafe-inline' https://*.gstatic.com https://*.ttwstatic.com https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' blob: data: https://*.abstractapi.com https://*.cloud.mongodb.com https://*.fabulate.co https://*.google.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com https://*.i.posthog.com https://*.intercom-messenger.com https://*.intercom.io https://*.mongodb.com https://*.pusher.com https://api.ipify.org https://graph.facebook.com wss://*.fabulate.co wss://*.intercom-messenger.com wss://*.intercom.io wss://*.pusher.com; font-src 'self' data: https://*.fabulate.co https://*.intercomcdn.com https://fonts.gstatic.com; frame-src https://*.google.com https://*.instagram.com https://*.loom.com https://*.stripe.com https://*.tiktok.com https://*.youtube.com https://player.vimeo.com https://widget.intercom.io; img-src 'self' blob: data: https://*.fabulate.co https://*.fbcdn.net https://*.googleusercontent.com https://*.intercomassets.com https://*.intercomcdn.com https://*.modash.io https://*.tiktokcdn.com https://cdn.jsdelivr.net https://unpkg.com; worker-src 'self' blob: https://cdnjs.cloudflare.com;"],"stats":{"totalHigh":0,"totalMedium":20,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.youtube.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.intercom.io","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"http://*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.i.posthog.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.instagram.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.ttwstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.intercomcdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.pusher.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.stripe.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.tiktok.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.tiktokcdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.fabulate.co","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.ibytedtos.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.intercomcdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http://*.google.com","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://connect.facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699e8c0c496846fac56e6c1d","ts":"2026-02-25T05:43:40.696Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://stage2.fabulate.co/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self' blob: https://*.fabulate.co https://*.intercomcdn.com https://*.tiktokcdn.com https://*.ibytedtos.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.google.com https://*.gstatic.com https://*.instagram.com https://*.youtube.com https://*.tiktok.com https://*.pusher.com https://*.stripe.com https://*.intercomcdn.com https://*.posthog.com https://*.ttwstatic.com https://connect.facebook.net https://*.intercom.io; style-src 'self' 'unsafe-inline' https://*.ttwstatic.com https://fonts.googleapis.com https://*.google.com https://*.gstatic.com; font-src 'self' data: https://fonts.gstatic.com https://*.intercomcdn.com https://*.fabulate.co; img-src 'self' data: blob: https://*.googleusercontent.com https://*.ibytedtos.com https://*.intercomassets.com https://unpkg.com https://*.fabulate.co https://*.modash.io https://*.fbcdn.net https://*.tiktokcdn.com https://cdn.jsdelivr.net https://*.intercomcdn.com https://*.google.com https://*.gstatic.com https://yt3.googleusercontent.com; connect-src 'self' blob: data: wss: https://*.googleusercontent.com https://*.google.com https://*.intercomcdn.com https://*.pusher.com https://*.fabulate.co https://*.intercom.io https://*.posthog.com https://*.mongodb.com https://*.googleapis.com https://api.ipify.org https://connect.facebook.net https://*.cloud.mongodb.com https://*.abstractapi.com https://*.gstatic.com; frame-src blob: https://intercom-sheets.com https://*.loom.com https://*.instagram.com https://*.google.com https://*.tiktok.com https://*.stripe.com https://*.recaptcha.net https://*.youtube.com https://player.vimeo.com https://view.officeapps.live.com; worker-src 'self' blob:; frame-ancestors 'none'; object-src 'none'; base-uri 'none';","directives":{"base-uri":["'none'"],"connect-src":["'self'","blob:","data:","https://*.abstractapi.com","https://*.cloud.mongodb.com","https://*.fabulate.co","https://*.google.com","https://*.googleapis.com","https://*.googleusercontent.com","https://*.gstatic.com","https://*.intercom.io","https://*.intercomcdn.com","https://*.mongodb.com","https://*.posthog.com","https://*.pusher.com","https://api.ipify.org","https://connect.facebook.net","wss:"],"default-src":["'self'","blob:","https://*.fabulate.co","https://*.ibytedtos.com","https://*.intercomcdn.com","https://*.tiktokcdn.com"],"font-src":["'self'","data:","https://*.fabulate.co","https://*.intercomcdn.com","https://fonts.gstatic.com"],"frame-ancestors":["'none'"],"frame-src":["blob:","https://*.google.com","https://*.instagram.com","https://*.loom.com","https://*.recaptcha.net","https://*.stripe.com","https://*.tiktok.com","https://*.youtube.com","https://intercom-sheets.com","https://player.vimeo.com","https://view.officeapps.live.com"],"img-src":["'self'","blob:","data:","https://*.fabulate.co","https://*.fbcdn.net","https://*.google.com","https://*.googleusercontent.com","https://*.gstatic.com","https://*.ibytedtos.com","https://*.intercomassets.com","https://*.intercomcdn.com","https://*.modash.io","https://*.tiktokcdn.com","https://cdn.jsdelivr.net","https://unpkg.com","https://yt3.googleusercontent.com"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://*.google.com","https://*.gstatic.com","https://*.instagram.com","https://*.intercom.io","https://*.intercomcdn.com","https://*.posthog.com","https://*.pusher.com","https://*.stripe.com","https://*.tiktok.com","https://*.ttwstatic.com","https://*.youtube.com","https://connect.facebook.net"],"style-src":["'self'","'unsafe-inline'","https://*.google.com","https://*.gstatic.com","https://*.ttwstatic.com","https://fonts.googleapis.com"],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","frame-src","worker-src","frame-ancestors","object-src","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https://*.abstractapi.com":"host-source","https://*.cloud.mongodb.com":"host-source","https://*.fabulate.co":"host-source","https://*.fbcdn.net":"host-source","https://*.google.com":"host-source","https://*.googleapis.com":"host-source","https://*.googleusercontent.com":"host-source","https://*.gstatic.com":"host-source","https://*.ibytedtos.com":"host-source","https://*.instagram.com":"host-source","https://*.intercom.io":"host-source","https://*.intercomassets.com":"host-source","https://*.intercomcdn.com":"host-source","https://*.loom.com":"host-source","https://*.modash.io":"host-source","https://*.mongodb.com":"host-source","https://*.posthog.com":"host-source","https://*.pusher.com":"host-source","https://*.recaptcha.net":"host-source","https://*.stripe.com":"host-source","https://*.tiktok.com":"host-source","https://*.tiktokcdn.com":"host-source","https://*.ttwstatic.com":"host-source","https://*.youtube.com":"host-source","https://api.ipify.org":"host-source","https://cdn.jsdelivr.net":"host-source","https://connect.facebook.net":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://intercom-sheets.com":"host-source","https://player.vimeo.com":"host-source","https://unpkg.com":"host-source","https://view.officeapps.live.com":"host-source","https://yt3.googleusercontent.com":"host-source","wss:":"scheme-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' blob: https://*.fabulate.co https://*.ibytedtos.com https://*.intercomcdn.com https://*.tiktokcdn.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.google.com https://*.gstatic.com https://*.instagram.com https://*.intercom.io https://*.intercomcdn.com https://*.posthog.com https://*.pusher.com https://*.stripe.com https://*.tiktok.com https://*.ttwstatic.com https://*.youtube.com https://connect.facebook.net; style-src 'self' 'unsafe-inline' https://*.google.com https://*.gstatic.com https://*.ttwstatic.com https://fonts.googleapis.com; object-src 'none'; base-uri 'none'; connect-src 'self' blob: data: https://*.abstractapi.com https://*.cloud.mongodb.com https://*.fabulate.co https://*.google.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com https://*.intercom.io https://*.intercomcdn.com https://*.mongodb.com https://*.posthog.com https://*.pusher.com https://api.ipify.org https://connect.facebook.net wss:; font-src 'self' data: https://*.fabulate.co https://*.intercomcdn.com https://fonts.gstatic.com; frame-ancestors 'none'; frame-src blob: https://*.google.com https://*.instagram.com https://*.loom.com https://*.recaptcha.net https://*.stripe.com https://*.tiktok.com https://*.youtube.com https://intercom-sheets.com https://player.vimeo.com https://view.officeapps.live.com; img-src 'self' blob: data: https://*.fabulate.co https://*.fbcdn.net https://*.google.com https://*.googleusercontent.com https://*.gstatic.com https://*.ibytedtos.com https://*.intercomassets.com https://*.intercomcdn.com https://*.modash.io https://*.tiktokcdn.com https://cdn.jsdelivr.net https://unpkg.com https://yt3.googleusercontent.com; worker-src 'self' blob:;"],"stats":{"totalHigh":1,"totalMedium":18,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.stripe.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.ttwstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.instagram.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.intercom.io","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.intercomcdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.posthog.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.pusher.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.youtube.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.tiktok.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.fabulate.co","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.ibytedtos.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.intercomcdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.tiktokcdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://connect.facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699e8bc6200db552f240dea0","ts":"2026-02-25T05:42:30.421Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://delta3.fabulate.co/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-eval' http://*.google.com https://*.gstatic.com https://*.instagram.com https://*.youtube.com https://*.tiktok.com https://*.ttwstatic.com https://*.pusher.com https://*.stripe.com https://connect.facebook.net https://*.intercomcdn.com https://*.intercom.io https://*.i.posthog.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.gstatic.com https://*.ttwstatic.com; font-src 'self' data: https://fonts.gstatic.com https://*.intercomcdn.com https://*.fabulate.co; img-src 'self' data: blob: https://*.modash.io https://*.googleusercontent.com https://*.intercomassets.com https://*.intercomcdn.com https://*.fabulate.co https://*.fbcdn.net https://*.tiktokcdn.com https://unpkg.com https://cdn.jsdelivr.net; connect-src 'self' blob: data: https://*.google.com https://*.pusher.com wss://*.pusher.com https://*.i.posthog.com https://*.intercom.io wss://*.intercom.io https://*.intercom-messenger.com wss://*.intercom-messenger.com https://*.fabulate.co wss://*.fabulate.co https://graph.facebook.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com https://*.mongodb.com https://*.cloud.mongodb.com https://*.abstractapi.com https://api.ipify.org; frame-src https://*.google.com https://*.loom.com https://*.instagram.com https://*.tiktok.com https://*.stripe.com https://*.youtube.com https://player.vimeo.com https://widget.intercom.io; worker-src 'self' blob: https://cdnjs.cloudflare.com; frame-ancestors 'none'; object-src 'none'; base-uri 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'","blob:","data:","https://*.abstractapi.com","https://*.cloud.mongodb.com","https://*.fabulate.co","https://*.google.com","https://*.googleapis.com","https://*.googleusercontent.com","https://*.gstatic.com","https://*.i.posthog.com","https://*.intercom-messenger.com","https://*.intercom.io","https://*.mongodb.com","https://*.pusher.com","https://api.ipify.org","https://graph.facebook.com","wss://*.fabulate.co","wss://*.intercom-messenger.com","wss://*.intercom.io","wss://*.pusher.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://*.fabulate.co","https://*.intercomcdn.com","https://fonts.gstatic.com"],"frame-ancestors":["'none'"],"frame-src":["https://*.google.com","https://*.instagram.com","https://*.loom.com","https://*.stripe.com","https://*.tiktok.com","https://*.youtube.com","https://player.vimeo.com","https://widget.intercom.io"],"img-src":["'self'","blob:","data:","https://*.fabulate.co","https://*.fbcdn.net","https://*.googleusercontent.com","https://*.intercomassets.com","https://*.intercomcdn.com","https://*.modash.io","https://*.tiktokcdn.com","https://cdn.jsdelivr.net","https://unpkg.com"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","http://*.google.com","https://*.gstatic.com","https://*.i.posthog.com","https://*.instagram.com","https://*.intercom.io","https://*.intercomcdn.com","https://*.pusher.com","https://*.stripe.com","https://*.tiktok.com","https://*.ttwstatic.com","https://*.youtube.com","https://cdnjs.cloudflare.com","https://connect.facebook.net"],"style-src":["'self'","'unsafe-inline'","https://*.gstatic.com","https://*.ttwstatic.com","https://fonts.googleapis.com"],"worker-src":["'self'","blob:","https://cdnjs.cloudflare.com"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","frame-src","worker-src","frame-ancestors","object-src","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","http://*.google.com":"host-source","https://*.abstractapi.com":"host-source","https://*.cloud.mongodb.com":"host-source","https://*.fabulate.co":"host-source","https://*.fbcdn.net":"host-source","https://*.google.com":"host-source","https://*.googleapis.com":"host-source","https://*.googleusercontent.com":"host-source","https://*.gstatic.com":"host-source","https://*.i.posthog.com":"host-source","https://*.instagram.com":"host-source","https://*.intercom-messenger.com":"host-source","https://*.intercom.io":"host-source","https://*.intercomassets.com":"host-source","https://*.intercomcdn.com":"host-source","https://*.loom.com":"host-source","https://*.modash.io":"host-source","https://*.mongodb.com":"host-source","https://*.pusher.com":"host-source","https://*.stripe.com":"host-source","https://*.tiktok.com":"host-source","https://*.tiktokcdn.com":"host-source","https://*.ttwstatic.com":"host-source","https://*.youtube.com":"host-source","https://api.ipify.org":"host-source","https://cdn.jsdelivr.net":"host-source","https://cdnjs.cloudflare.com":"host-source","https://connect.facebook.net":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://graph.facebook.com":"host-source","https://player.vimeo.com":"host-source","https://unpkg.com":"host-source","https://widget.intercom.io":"host-source","wss://*.fabulate.co":"host-source","wss://*.intercom-messenger.com":"host-source","wss://*.intercom.io":"host-source","wss://*.pusher.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' http://*.google.com https://*.gstatic.com https://*.i.posthog.com https://*.instagram.com https://*.intercom.io https://*.intercomcdn.com https://*.pusher.com https://*.stripe.com https://*.tiktok.com https://*.ttwstatic.com https://*.youtube.com https://cdnjs.cloudflare.com https://connect.facebook.net; style-src 'self' 'unsafe-inline' https://*.gstatic.com https://*.ttwstatic.com https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' blob: data: https://*.abstractapi.com https://*.cloud.mongodb.com https://*.fabulate.co https://*.google.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com https://*.i.posthog.com https://*.intercom-messenger.com https://*.intercom.io https://*.mongodb.com https://*.pusher.com https://api.ipify.org https://graph.facebook.com wss://*.fabulate.co wss://*.intercom-messenger.com wss://*.intercom.io wss://*.pusher.com; font-src 'self' data: https://*.fabulate.co https://*.intercomcdn.com https://fonts.gstatic.com; frame-ancestors 'none'; frame-src https://*.google.com https://*.instagram.com https://*.loom.com https://*.stripe.com https://*.tiktok.com https://*.youtube.com https://player.vimeo.com https://widget.intercom.io; img-src 'self' blob: data: https://*.fabulate.co https://*.fbcdn.net https://*.googleusercontent.com https://*.intercomassets.com https://*.intercomcdn.com https://*.modash.io https://*.tiktokcdn.com https://cdn.jsdelivr.net https://unpkg.com; worker-src 'self' blob: https://cdnjs.cloudflare.com;"],"stats":{"totalHigh":0,"totalMedium":16,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.tiktok.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"http://*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.i.posthog.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.instagram.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.intercom.io","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.intercomcdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.stripe.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.pusher.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.youtube.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.ttwstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http://*.google.com","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://connect.facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699e8237496846fac56e6c1c","ts":"2026-02-25T05:01:43.663Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://delta3.fabulate.co/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-eval' http://*.google.com https://*.gstatic.com https://*.instagram.com https://*.youtube.com https://*.tiktok.com https://*.ttwstatic.com https://*.pusher.com https://*.stripe.com https://connect.facebook.net https://*.intercomcdn.com https://*.intercom.io https://*.i.posthog.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.gstatic.com https://*.ttwstatic.com; font-src 'self' data: https://fonts.gstatic.com https://*.intercomcdn.com https://*.fabulate.co; img-src 'self' data: blob: https://*.modash.io https://*.googleusercontent.com https://*.intercomassets.com https://*.intercomcdn.com https://*.fabulate.co https://*.fbcdn.net https://*.tiktokcdn.com https://unpkg.com https://cdn.jsdelivr.net; connect-src 'self' blob: data: https://*.google.com https://*.pusher.com wss://*.pusher.com https://*.i.posthog.com https://*.intercom.io wss://*.intercom.io https://*.intercom-messenger.com wss://*.intercom-messenger.com https://*.fabulate.co wss://*.fabulate.co https://graph.facebook.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com https://*.mongodb.com https://*.cloud.mongodb.com https://*.abstractapi.com https://api.ipify.org; frame-src https://*.google.com https://*.loom.com https://*.instagram.com https://*.tiktok.com https://*.stripe.com https://*.youtube.com https://player.vimeo.com https://widget.intercom.io; worker-src 'self' blob: https://cdnjs.cloudflare.com; object-src 'none'; base-uri 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'","blob:","data:","https://*.abstractapi.com","https://*.cloud.mongodb.com","https://*.fabulate.co","https://*.google.com","https://*.googleapis.com","https://*.googleusercontent.com","https://*.gstatic.com","https://*.i.posthog.com","https://*.intercom-messenger.com","https://*.intercom.io","https://*.mongodb.com","https://*.pusher.com","https://api.ipify.org","https://graph.facebook.com","wss://*.fabulate.co","wss://*.intercom-messenger.com","wss://*.intercom.io","wss://*.pusher.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://*.fabulate.co","https://*.intercomcdn.com","https://fonts.gstatic.com"],"frame-src":["https://*.google.com","https://*.instagram.com","https://*.loom.com","https://*.stripe.com","https://*.tiktok.com","https://*.youtube.com","https://player.vimeo.com","https://widget.intercom.io"],"img-src":["'self'","blob:","data:","https://*.fabulate.co","https://*.fbcdn.net","https://*.googleusercontent.com","https://*.intercomassets.com","https://*.intercomcdn.com","https://*.modash.io","https://*.tiktokcdn.com","https://cdn.jsdelivr.net","https://unpkg.com"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","http://*.google.com","https://*.gstatic.com","https://*.i.posthog.com","https://*.instagram.com","https://*.intercom.io","https://*.intercomcdn.com","https://*.pusher.com","https://*.stripe.com","https://*.tiktok.com","https://*.ttwstatic.com","https://*.youtube.com","https://cdnjs.cloudflare.com","https://connect.facebook.net"],"style-src":["'self'","'unsafe-inline'","https://*.gstatic.com","https://*.ttwstatic.com","https://fonts.googleapis.com"],"worker-src":["'self'","blob:","https://cdnjs.cloudflare.com"]},"directiveOrder":["default-src","script-src","style-src","font-src","img-src","connect-src","frame-src","worker-src","object-src","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","http://*.google.com":"host-source","https://*.abstractapi.com":"host-source","https://*.cloud.mongodb.com":"host-source","https://*.fabulate.co":"host-source","https://*.fbcdn.net":"host-source","https://*.google.com":"host-source","https://*.googleapis.com":"host-source","https://*.googleusercontent.com":"host-source","https://*.gstatic.com":"host-source","https://*.i.posthog.com":"host-source","https://*.instagram.com":"host-source","https://*.intercom-messenger.com":"host-source","https://*.intercom.io":"host-source","https://*.intercomassets.com":"host-source","https://*.intercomcdn.com":"host-source","https://*.loom.com":"host-source","https://*.modash.io":"host-source","https://*.mongodb.com":"host-source","https://*.pusher.com":"host-source","https://*.stripe.com":"host-source","https://*.tiktok.com":"host-source","https://*.tiktokcdn.com":"host-source","https://*.ttwstatic.com":"host-source","https://*.youtube.com":"host-source","https://api.ipify.org":"host-source","https://cdn.jsdelivr.net":"host-source","https://cdnjs.cloudflare.com":"host-source","https://connect.facebook.net":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://graph.facebook.com":"host-source","https://player.vimeo.com":"host-source","https://unpkg.com":"host-source","https://widget.intercom.io":"host-source","wss://*.fabulate.co":"host-source","wss://*.intercom-messenger.com":"host-source","wss://*.intercom.io":"host-source","wss://*.pusher.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' http://*.google.com https://*.gstatic.com https://*.i.posthog.com https://*.instagram.com https://*.intercom.io https://*.intercomcdn.com https://*.pusher.com https://*.stripe.com https://*.tiktok.com https://*.ttwstatic.com https://*.youtube.com https://cdnjs.cloudflare.com https://connect.facebook.net; style-src 'self' 'unsafe-inline' https://*.gstatic.com https://*.ttwstatic.com https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' blob: data: https://*.abstractapi.com https://*.cloud.mongodb.com https://*.fabulate.co https://*.google.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com https://*.i.posthog.com https://*.intercom-messenger.com https://*.intercom.io https://*.mongodb.com https://*.pusher.com https://api.ipify.org https://graph.facebook.com wss://*.fabulate.co wss://*.intercom-messenger.com wss://*.intercom.io wss://*.pusher.com; font-src 'self' data: https://*.fabulate.co https://*.intercomcdn.com https://fonts.gstatic.com; frame-src https://*.google.com https://*.instagram.com https://*.loom.com https://*.stripe.com https://*.tiktok.com https://*.youtube.com https://player.vimeo.com https://widget.intercom.io; img-src 'self' blob: data: https://*.fabulate.co https://*.fbcdn.net https://*.googleusercontent.com https://*.intercomassets.com https://*.intercomcdn.com https://*.modash.io https://*.tiktokcdn.com https://cdn.jsdelivr.net https://unpkg.com; worker-src 'self' blob: https://cdnjs.cloudflare.com;"],"stats":{"totalHigh":0,"totalMedium":16,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.tiktok.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"http://*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.gstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.i.posthog.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.instagram.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.intercom.io","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.intercomcdn.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.stripe.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.pusher.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.youtube.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.ttwstatic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http://*.google.com","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://connect.facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699e4c2e200db552f240de8c","ts":"2026-02-25T01:11:10.588Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://uat-www2.netx360.inautix.com/plus/login","isHidden":false,"parsedPolicy":{"policy":"default-src 'self' whatfix.com cdn.whatfix.com www.pllcfiles.com xat-www.pllcfiles.inautix.com uat-www.pllcfiles.inautix.com qa-www.pllcfiles.inautix.com cdn.cookielaw.org fonts.gstatic.com use.typekit.net fonts.googleapis.com  privacyportal-cdn.onetrust.com privacyportal.onetrust.com; script-src 'nonce-+A9UNq5MdNHYTskPJ2jzCpiKNJkmC6jRuHheg2xGw/E=' 'self' whatfix.com cdn.whatfix.com www.pllcfiles.com xat-www.pllcfiles.inautix.com uat-www.pllcfiles.inautix.com qa-www.pllcfiles.inautix.com cdn.cookielaw.org fonts.gstatic.com use.typekit.net fonts.googleapis.com  privacyportal-cdn.onetrust.com privacyportal.onetrust.com; style-src 'self' 'unsafe-inline' whatfix.com cdn.whatfix.com www.pllcfiles.com xat-www.pllcfiles.inautix.com uat-www.pllcfiles.inautix.com qa-www.pllcfiles.inautix.com cdn.cookielaw.org fonts.gstatic.com use.typekit.net fonts.googleapis.com  privacyportal-cdn.onetrust.com privacyportal.onetrust.com; frame-ancestors 'self'; form-action 'self' login.microsoftonline.com; upgrade-insecure-requests","directives":{"default-src":["'self'","cdn.cookielaw.org","cdn.whatfix.com","fonts.googleapis.com","fonts.gstatic.com","privacyportal-cdn.onetrust.com","privacyportal.onetrust.com","qa-www.pllcfiles.inautix.com","uat-www.pllcfiles.inautix.com","use.typekit.net","whatfix.com","www.pllcfiles.com","xat-www.pllcfiles.inautix.com"],"form-action":["'self'","login.microsoftonline.com"],"frame-ancestors":["'self'"],"script-src":["'nonce-+A9UNq5MdNHYTskPJ2jzCpiKNJkmC6jRuHheg2xGw/E='","'self'","cdn.cookielaw.org","cdn.whatfix.com","fonts.googleapis.com","fonts.gstatic.com","privacyportal-cdn.onetrust.com","privacyportal.onetrust.com","qa-www.pllcfiles.inautix.com","uat-www.pllcfiles.inautix.com","use.typekit.net","whatfix.com","www.pllcfiles.com","xat-www.pllcfiles.inautix.com"],"style-src":["'self'","'unsafe-inline'","cdn.cookielaw.org","cdn.whatfix.com","fonts.googleapis.com","fonts.gstatic.com","privacyportal-cdn.onetrust.com","privacyportal.onetrust.com","qa-www.pllcfiles.inautix.com","uat-www.pllcfiles.inautix.com","use.typekit.net","whatfix.com","www.pllcfiles.com","xat-www.pllcfiles.inautix.com"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","frame-ancestors","form-action","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-+A9UNq5MdNHYTskPJ2jzCpiKNJkmC6jRuHheg2xGw/E='":"nonce-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","cdn.cookielaw.org":"host-source","cdn.whatfix.com":"host-source","fonts.googleapis.com":"host-source","fonts.gstatic.com":"host-source","login.microsoftonline.com":"host-source","privacyportal-cdn.onetrust.com":"host-source","privacyportal.onetrust.com":"host-source","qa-www.pllcfiles.inautix.com":"host-source","uat-www.pllcfiles.inautix.com":"host-source","use.typekit.net":"host-source","whatfix.com":"host-source","www.pllcfiles.com":"host-source","xat-www.pllcfiles.inautix.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' cdn.cookielaw.org cdn.whatfix.com fonts.googleapis.com fonts.gstatic.com privacyportal-cdn.onetrust.com privacyportal.onetrust.com qa-www.pllcfiles.inautix.com uat-www.pllcfiles.inautix.com use.typekit.net whatfix.com www.pllcfiles.com xat-www.pllcfiles.inautix.com; script-src 'nonce-+A9UNq5MdNHYTskPJ2jzCpiKNJkmC6jRuHheg2xGw/E=' 'self' cdn.cookielaw.org cdn.whatfix.com fonts.googleapis.com fonts.gstatic.com privacyportal-cdn.onetrust.com privacyportal.onetrust.com qa-www.pllcfiles.inautix.com uat-www.pllcfiles.inautix.com use.typekit.net whatfix.com www.pllcfiles.com xat-www.pllcfiles.inautix.com; style-src 'self' 'unsafe-inline' cdn.cookielaw.org cdn.whatfix.com fonts.googleapis.com fonts.gstatic.com privacyportal-cdn.onetrust.com privacyportal.onetrust.com qa-www.pllcfiles.inautix.com uat-www.pllcfiles.inautix.com use.typekit.net whatfix.com www.pllcfiles.com xat-www.pllcfiles.inautix.com; form-action 'self' login.microsoftonline.com; frame-ancestors 'self'; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":15,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"privacyportal.onetrust.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"uat-www.pllcfiles.inautix.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.cookielaw.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.whatfix.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"fonts.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"fonts.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"privacyportal-cdn.onetrust.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"qa-www.pllcfiles.inautix.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"use.typekit.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"whatfix.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.pllcfiles.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"xat-www.pllcfiles.inautix.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dee98496846fac56e6be1","ts":"2026-02-24T18:31:52.656Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://portal-qa.saraplus.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'self'; img-src 'self' data: https:; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://us-autocomplete-pro.api.smarty.com; upgrade-insecure-requests;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://us-autocomplete-pro.api.smarty.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["'none'"],"img-src":["'self'","data:","https:"],"object-src":["'none'"],"script-src":["'self'"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","base-uri","object-src","frame-ancestors","form-action","img-src","script-src","style-src","font-src","connect-src","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https:":"scheme-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://us-autocomplete-pro.api.smarty.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://us-autocomplete-pro.api.smarty.com; font-src 'self' data: https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dedcf496846fac56e6be0","ts":"2026-02-24T18:28:31.697Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://portal-qa.saraplus.com","isHidden":false,"parsedPolicy":{"policy":"\n  img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *;\n  style-src  'self' 'unsafe-inline' *;\n  font-src 'self' data: https://fonts.gstatic.com;","directives":{"font-src":["'self'","data:","https://fonts.gstatic.com"],"img-src":["'self'","*","data:","https:"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*","blob:"],"style-src":["'self'","'unsafe-inline'","*"]},"directiveOrder":["img-src","script-src","style-src","font-src"],"disposition":"enforce","delivery":"meta","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","blob:":"scheme-source","data:":"scheme-source","https:":"scheme-source","https://fonts.gstatic.com":"host-source"}},"disposition":"enforce","source":"meta","policies":["script-src 'self' 'unsafe-eval' 'unsafe-inline' * blob:; style-src 'self' 'unsafe-inline' *; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' * data: https:;"],"stats":{"totalHigh":3,"totalMedium":4,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"*","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dec6a496846fac56e6bde","ts":"2026-02-24T18:22:34.318Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://portal-qa.saraplus.com","isHidden":false,"parsedPolicy":{"policy":"\n  img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *;\n  style-src  'self' 'unsafe-inline' *;\n  font-src 'self' data: https://fonts.gstatic.com;","directives":{"font-src":["'self'","data:","https://fonts.gstatic.com"],"img-src":["'self'","*","data:","https:"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*","blob:"],"style-src":["'self'","'unsafe-inline'","*"]},"directiveOrder":["img-src","script-src","style-src","font-src"],"disposition":"enforce","delivery":"meta","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","blob:":"scheme-source","data:":"scheme-source","https:":"scheme-source","https://fonts.gstatic.com":"host-source"}},"disposition":"enforce","source":"meta","policies":["script-src 'self' 'unsafe-eval' 'unsafe-inline' * blob:; style-src 'self' 'unsafe-inline' *; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' * data: https:;"],"stats":{"totalHigh":3,"totalMedium":4,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"*","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699debf0200db552f240de67","ts":"2026-02-24T18:20:32.754Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://portal-qa.saraplus.com","isHidden":false,"parsedPolicy":{"policy":"\n  img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *;\n  style-src  'self' 'unsafe-inline' *;\n  font-src 'self' data: https://fonts.gstatic.com;","directives":{"font-src":["'self'","data:","https://fonts.gstatic.com"],"img-src":["'self'","*","data:","https:"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*","blob:"],"style-src":["'self'","'unsafe-inline'","*"]},"directiveOrder":["img-src","script-src","style-src","font-src"],"disposition":"enforce","delivery":"meta","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","blob:":"scheme-source","data:":"scheme-source","https:":"scheme-source","https://fonts.gstatic.com":"host-source"}},"disposition":"enforce","source":"meta","policies":["script-src 'self' 'unsafe-eval' 'unsafe-inline' * blob:; style-src 'self' 'unsafe-inline' *; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' * data: https:;"],"stats":{"totalHigh":3,"totalMedium":4,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"*","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699deb46496846fac56e6bdd","ts":"2026-02-24T18:17:42.11Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://portal-qa.saraplus.com","isHidden":false,"parsedPolicy":{"policy":"\n  img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *;\n  style-src  'self' 'unsafe-inline' *;\n  font-src 'self' data: https://fonts.gstatic.com;","directives":{"font-src":["'self'","data:","https://fonts.gstatic.com"],"img-src":["'self'","*","data:","https:"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*","blob:"],"style-src":["'self'","'unsafe-inline'","*"]},"directiveOrder":["img-src","script-src","style-src","font-src"],"disposition":"enforce","delivery":"meta","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","blob:":"scheme-source","data:":"scheme-source","https:":"scheme-source","https://fonts.gstatic.com":"host-source"}},"disposition":"enforce","source":"meta","policies":["script-src 'self' 'unsafe-eval' 'unsafe-inline' * blob:; style-src 'self' 'unsafe-inline' *; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' * data: https:;"],"stats":{"totalHigh":3,"totalMedium":4,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"*","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699de688200db552f240de64","ts":"2026-02-24T17:57:28.03Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.mitrace.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-eval'; script-src-attr 'self' 'unsafe-inline'; connect-src *; frame-src *; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;  img-src 'self' data: ; object-src 'none'; frame-ancestors 'self'; form-action *;","directives":{"connect-src":["*"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["*"],"frame-ancestors":["'self'"],"frame-src":["*"],"img-src":["'self'","data:"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'"],"script-src-attr":["'self'","'unsafe-inline'"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com"]},"directiveOrder":["default-src","script-src","script-src-attr","connect-src","frame-src","style-src","font-src","img-src","object-src","frame-ancestors","form-action"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","data:":"scheme-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval'; script-src-attr 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'; connect-src *; font-src 'self' https://fonts.gstatic.com; form-action *; frame-ancestors 'self'; frame-src *; img-src 'self' data:;"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"script-src-attr","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699de64d200db552f240de63","ts":"2026-02-24T17:56:29.475Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://uat.mitrace.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-eval'; script-src-attr 'self' 'unsafe-inline'; connect-src *; frame-src *; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;  img-src 'self' data:; object-src 'none'; frame-ancestors 'self'; form-action *;","directives":{"connect-src":["*"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"form-action":["*"],"frame-ancestors":["'self'"],"frame-src":["*"],"img-src":["'self'","data:"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'"],"script-src-attr":["'self'","'unsafe-inline'"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com"]},"directiveOrder":["default-src","script-src","script-src-attr","connect-src","frame-src","style-src","font-src","img-src","object-src","frame-ancestors","form-action"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*":"host-source","data:":"scheme-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval'; script-src-attr 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'; connect-src *; font-src 'self' https://fonts.gstatic.com; form-action *; frame-ancestors 'self'; frame-src *; img-src 'self' data:;"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"script-src-attr","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699de4c2200db552f240de62","ts":"2026-02-24T17:49:54.283Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://statemag.state.gov","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://statemag.state.gov https://player.vimeo.com https://www.googletagmanager.com https://www.google-analytics.com https://secure.gravatar.com https://statemag.gprod.getusinfo.com ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://statemag.state.gov https://statemag.gprod.getusinfo.com; img-src 'self' data: blob: https://statemag.state.gov https://i.vimeocdn.com https://www.googletagmanager.com https://secure.gravatar.com https://statemag.gprod.getusinfo.com https://pd.w.org https://ps.w.org https://s.w.org https://img.rawpixel.com; font-src 'self' data: https://fonts.gstatic.com https://statemag.state.gov https://statemag.gprod.getusinfo.com; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com https://analytics.google.com https://statemag.gprod.getusinfo.com; frame-src 'self' blob: https://statemag.state.gov https://player.vimeo.com https://www.youtube.com https://ps.w.org https://statemag.gprod.getusinfo.com; media-src 'self' blob: https://upload.wikimedia.org; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; manifest-src 'self'; upgrade-insecure-requests;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://analytics.google.com","https://statemag.gprod.getusinfo.com","https://www.google-analytics.com","https://www.googletagmanager.com"],"default-src":["'none'"],"font-src":["'self'","data:","https://fonts.gstatic.com","https://statemag.gprod.getusinfo.com","https://statemag.state.gov"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","blob:","https://player.vimeo.com","https://ps.w.org","https://statemag.gprod.getusinfo.com","https://statemag.state.gov","https://www.youtube.com"],"img-src":["'self'","blob:","data:","https://i.vimeocdn.com","https://img.rawpixel.com","https://pd.w.org","https://ps.w.org","https://s.w.org","https://secure.gravatar.com","https://statemag.gprod.getusinfo.com","https://statemag.state.gov","https://www.googletagmanager.com"],"manifest-src":["'self'"],"media-src":["'self'","blob:","https://upload.wikimedia.org"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","blob:","https://player.vimeo.com","https://secure.gravatar.com","https://statemag.gprod.getusinfo.com","https://statemag.state.gov","https://www.google-analytics.com","https://www.googletagmanager.com"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com","https://statemag.gprod.getusinfo.com","https://statemag.state.gov"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","media-src","object-src","base-uri","form-action","frame-ancestors","manifest-src","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https://analytics.google.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://i.vimeocdn.com":"host-source","https://img.rawpixel.com":"host-source","https://pd.w.org":"host-source","https://player.vimeo.com":"host-source","https://ps.w.org":"host-source","https://s.w.org":"host-source","https://secure.gravatar.com":"host-source","https://statemag.gprod.getusinfo.com":"host-source","https://statemag.state.gov":"host-source","https://upload.wikimedia.org":"host-source","https://www.google-analytics.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https://player.vimeo.com https://secure.gravatar.com https://statemag.gprod.getusinfo.com https://statemag.state.gov https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://statemag.gprod.getusinfo.com https://statemag.state.gov; object-src 'none'; base-uri 'self'; connect-src 'self' https://analytics.google.com https://statemag.gprod.getusinfo.com https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' data: https://fonts.gstatic.com https://statemag.gprod.getusinfo.com https://statemag.state.gov; form-action 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://player.vimeo.com https://ps.w.org https://statemag.gprod.getusinfo.com https://statemag.state.gov https://www.youtube.com; img-src 'self' blob: data: https://i.vimeocdn.com https://img.rawpixel.com https://pd.w.org https://ps.w.org https://s.w.org https://secure.gravatar.com https://statemag.gprod.getusinfo.com https://statemag.state.gov https://www.googletagmanager.com; manifest-src 'self'; media-src 'self' blob: https://upload.wikimedia.org; upgrade-insecure-requests ;"],"stats":{"totalHigh":1,"totalMedium":8,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://player.vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://secure.gravatar.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://statemag.gprod.getusinfo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://statemag.state.gov","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699de3f9496846fac56e6bdc","ts":"2026-02-24T17:46:33.855Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.state.gov","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://player.vimeo.com https://www.googletagmanager.com https://www.google-analytics.com https://code.jquery.com https://findit.state.gov https://search.usa.gov https://cdn-3.convertexperiments.com https://sadmin.brightcove.com https://players.brightcove.net https://www.youtube.com https://googleads.g.doubleclick.net; style-src 'self' 'unsafe-inline' https://code.jquery.com https://fonts.googleapis.com https://use.fontawesome.com https://players.brightcove.net https://search.usa.gov; img-src 'self' data: blob: https://*.state.gov https://*.global.siteimproveanalytics.io https://6290244.global.r2.siteimproveanalytics.io https://googlead2.googlesyndication.com https://secure.gravatar.com https://www.google.com https://googleads.g.doubleclick.net https://i.ytimg.com https://api.flickr.com https://live.staticflickr.com https://www.googletagmanager.com https://s.w.org https://cf-images.us-east-1.prod.boltdns.net https://metrics.brightcove.com https://img.youtube.com https://d15vqlr7iz6e8x.cloudfront.net https://www.admincolumns.com https://connect.advancedcustomfields.com https://complianz.io https://ps.w.org https://www.joomunited.com; font-src 'self' data: https://fonts.gstatic.com https://use.fontawesome.com; connect-src 'self' https://googleads.g.doubleclick.net https://api.redirect.li https://dap.digitalgov.gov https://www.google-analytics.com https://analytics.google.com https://pagead2.googlesyndication.com https://www.googletagmanager.com https://gateway.foresee.com https://www.google.com https://www.googleadservices.com https://api.flickr.com https://stats.g.doubleclick.net https://yoast.com https://edge.api.brightcove.com https://public.govdelivery.com; frame-src 'self' blob: https://www.google.com https://www.googletagmanager.com https://www.youtube.com https://players.brightcove.net https://public.govdelivery.com; media-src 'self' blob:; script-src-elem 'self' 'unsafe-inline' data: https://cdn.carbonads.com https://www.gstatic.com https://www.google.com https://dap.digitalgov.gov https://siteimproveanalytics.com https://googleads.g.doubleclick.net https://www.youtube.com https://sadmin.brightcove.com https://www.googletagmanager.com https://findit.state.gov https://code.jquery.com https://ajax.googleapis.com https://www.google-analytics.com https://cdn-3.convertexperiments.com https://pagead2.googlesyndication.com https://search.usa.gov https://public.govdelivery.com; object-src 'none'; base-uri 'self'; form-action 'self' https://findit.state.gov; frame-ancestors 'self'; manifest-src 'self'; worker-src 'self' blob:; upgrade-insecure-requests;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://analytics.google.com","https://api.flickr.com","https://api.redirect.li","https://dap.digitalgov.gov","https://edge.api.brightcove.com","https://gateway.foresee.com","https://googleads.g.doubleclick.net","https://pagead2.googlesyndication.com","https://public.govdelivery.com","https://stats.g.doubleclick.net","https://www.google-analytics.com","https://www.google.com","https://www.googleadservices.com","https://www.googletagmanager.com","https://yoast.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://fonts.gstatic.com","https://use.fontawesome.com"],"form-action":["'self'","https://findit.state.gov"],"frame-ancestors":["'self'"],"frame-src":["'self'","blob:","https://players.brightcove.net","https://public.govdelivery.com","https://www.google.com","https://www.googletagmanager.com","https://www.youtube.com"],"img-src":["'self'","blob:","data:","https://*.global.siteimproveanalytics.io","https://*.state.gov","https://6290244.global.r2.siteimproveanalytics.io","https://api.flickr.com","https://cf-images.us-east-1.prod.boltdns.net","https://complianz.io","https://connect.advancedcustomfields.com","https://d15vqlr7iz6e8x.cloudfront.net","https://googlead2.googlesyndication.com","https://googleads.g.doubleclick.net","https://i.ytimg.com","https://img.youtube.com","https://live.staticflickr.com","https://metrics.brightcove.com","https://ps.w.org","https://s.w.org","https://secure.gravatar.com","https://www.admincolumns.com","https://www.google.com","https://www.googletagmanager.com","https://www.joomunited.com"],"manifest-src":["'self'"],"media-src":["'self'","blob:"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://cdn-3.convertexperiments.com","https://code.jquery.com","https://findit.state.gov","https://googleads.g.doubleclick.net","https://player.vimeo.com","https://players.brightcove.net","https://sadmin.brightcove.com","https://search.usa.gov","https://www.google-analytics.com","https://www.googletagmanager.com","https://www.youtube.com"],"script-src-elem":["'self'","'unsafe-inline'","data:","https://ajax.googleapis.com","https://cdn-3.convertexperiments.com","https://cdn.carbonads.com","https://code.jquery.com","https://dap.digitalgov.gov","https://findit.state.gov","https://googleads.g.doubleclick.net","https://pagead2.googlesyndication.com","https://public.govdelivery.com","https://sadmin.brightcove.com","https://search.usa.gov","https://siteimproveanalytics.com","https://www.google-analytics.com","https://www.google.com","https://www.googletagmanager.com","https://www.gstatic.com","https://www.youtube.com"],"style-src":["'self'","'unsafe-inline'","https://code.jquery.com","https://fonts.googleapis.com","https://players.brightcove.net","https://search.usa.gov","https://use.fontawesome.com"],"upgrade-insecure-requests":[],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","media-src","script-src-elem","object-src","base-uri","form-action","frame-ancestors","manifest-src","worker-src","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https://*.global.siteimproveanalytics.io":"host-source","https://*.state.gov":"host-source","https://6290244.global.r2.siteimproveanalytics.io":"host-source","https://ajax.googleapis.com":"host-source","https://analytics.google.com":"host-source","https://api.flickr.com":"host-source","https://api.redirect.li":"host-source","https://cdn-3.convertexperiments.com":"host-source","https://cdn.carbonads.com":"host-source","https://cf-images.us-east-1.prod.boltdns.net":"host-source","https://code.jquery.com":"host-source","https://complianz.io":"host-source","https://connect.advancedcustomfields.com":"host-source","https://d15vqlr7iz6e8x.cloudfront.net":"host-source","https://dap.digitalgov.gov":"host-source","https://edge.api.brightcove.com":"host-source","https://findit.state.gov":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://gateway.foresee.com":"host-source","https://googlead2.googlesyndication.com":"host-source","https://googleads.g.doubleclick.net":"host-source","https://i.ytimg.com":"host-source","https://img.youtube.com":"host-source","https://live.staticflickr.com":"host-source","https://metrics.brightcove.com":"host-source","https://pagead2.googlesyndication.com":"host-source","https://player.vimeo.com":"host-source","https://players.brightcove.net":"host-source","https://ps.w.org":"host-source","https://public.govdelivery.com":"host-source","https://s.w.org":"host-source","https://sadmin.brightcove.com":"host-source","https://search.usa.gov":"host-source","https://secure.gravatar.com":"host-source","https://siteimproveanalytics.com":"host-source","https://stats.g.doubleclick.net":"host-source","https://use.fontawesome.com":"host-source","https://www.admincolumns.com":"host-source","https://www.google-analytics.com":"host-source","https://www.google.com":"host-source","https://www.googleadservices.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.gstatic.com":"host-source","https://www.joomunited.com":"host-source","https://www.youtube.com":"host-source","https://yoast.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn-3.convertexperiments.com https://code.jquery.com https://findit.state.gov https://googleads.g.doubleclick.net https://player.vimeo.com https://players.brightcove.net https://sadmin.brightcove.com https://search.usa.gov https://www.google-analytics.com https://www.googletagmanager.com https://www.youtube.com; script-src-elem 'self' 'unsafe-inline' data: https://ajax.googleapis.com https://cdn-3.convertexperiments.com https://cdn.carbonads.com https://code.jquery.com https://dap.digitalgov.gov https://findit.state.gov https://googleads.g.doubleclick.net https://pagead2.googlesyndication.com https://public.govdelivery.com https://sadmin.brightcove.com https://search.usa.gov https://siteimproveanalytics.com https://www.google-analytics.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com; style-src 'self' 'unsafe-inline' https://code.jquery.com https://fonts.googleapis.com https://players.brightcove.net https://search.usa.gov https://use.fontawesome.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://analytics.google.com https://api.flickr.com https://api.redirect.li https://dap.digitalgov.gov https://edge.api.brightcove.com https://gateway.foresee.com https://googleads.g.doubleclick.net https://pagead2.googlesyndication.com https://public.govdelivery.com https://stats.g.doubleclick.net https://www.google-analytics.com https://www.google.com https://www.googleadservices.com https://www.googletagmanager.com https://yoast.com; font-src 'self' data: https://fonts.gstatic.com https://use.fontawesome.com; form-action 'self' https://findit.state.gov; frame-ancestors 'self'; frame-src 'self' blob: https://players.brightcove.net https://public.govdelivery.com https://www.google.com https://www.googletagmanager.com https://www.youtube.com; img-src 'self' blob: data: https://*.global.siteimproveanalytics.io https://*.state.gov https://6290244.global.r2.siteimproveanalytics.io https://api.flickr.com https://cf-images.us-east-1.prod.boltdns.net https://complianz.io https://connect.advancedcustomfields.com https://d15vqlr7iz6e8x.cloudfront.net https://googlead2.googlesyndication.com https://googleads.g.doubleclick.net https://i.ytimg.com https://img.youtube.com https://live.staticflickr.com https://metrics.brightcove.com https://ps.w.org https://s.w.org https://secure.gravatar.com https://www.admincolumns.com https://www.google.com https://www.googletagmanager.com https://www.joomunited.com; manifest-src 'self'; media-src 'self' blob:; upgrade-insecure-requests ; worker-src 'self' blob:;"],"stats":{"totalHigh":1,"totalMedium":13,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://player.vimeo.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://sadmin.brightcove.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn-3.convertexperiments.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://code.jquery.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://findit.state.gov","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://googleads.g.doubleclick.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.youtube.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://search.usa.gov","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://players.brightcove.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"script-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dc1a3200db552f240de5a","ts":"2026-02-24T15:20:03.374Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://test.2dengine.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self'; connect-src 'self' https://api.stripe.com; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='; img-src 'self' data:; font-src 'self'; object-src 'self'; base-uri 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://api.stripe.com"],"default-src":["'self'"],"font-src":["'self'"],"img-src":["'self'","data:"],"object-src":["'self'"],"script-src":["'self'"],"style-src":["'self'","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='","'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='"]},"directiveOrder":["default-src","script-src","connect-src","style-src","img-src","font-src","object-src","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='":"hash-source","'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='":"hash-source","data:":"scheme-source","https://api.stripe.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self'; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='; object-src 'self'; base-uri 'self'; connect-src 'self' https://api.stripe.com; font-src 'self'; img-src 'self' data:;"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dbf5f200db552f240de59","ts":"2026-02-24T15:10:23.815Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://ankasec.co","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; connect-src 'self';","directives":{"connect-src":["'self'"],"default-src":["'self'"],"font-src":["'self'","https://cdnjs.cloudflare.com","https://fonts.gstatic.com"],"img-src":["'self'","data:","https:"],"script-src":["'self'","'unsafe-inline'","https://cdnjs.cloudflare.com"],"style-src":["'self'","'unsafe-inline'","https://cdnjs.cloudflare.com","https://fonts.googleapis.com"]},"directiveOrder":["default-src","style-src","script-src","img-src","font-src","connect-src"],"disposition":"enforce","delivery":"meta","sourceMapping":{"'self'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https:":"scheme-source","https://cdnjs.cloudflare.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source"}},"disposition":"enforce","source":"meta","policies":["default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com; connect-src 'self'; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; img-src 'self' data: https:;"],"stats":{"totalHigh":1,"totalMedium":4,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dbf3d496846fac56e6bd7","ts":"2026-02-24T15:09:49.332Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.parfumlab.com","isHidden":false,"parsedPolicy":{"policy":"block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;","directives":{"block-all-mixed-content":[],"frame-ancestors":["'none'"],"upgrade-insecure-requests":[]},"directiveOrder":["block-all-mixed-content","frame-ancestors","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source"}},"disposition":"enforce","source":"header","policies":["block-all-mixed-content ; frame-ancestors 'none'; upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dbf3d496846fac56e6bd6","ts":"2026-02-24T15:09:49.184Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.parfumlab.com","isHidden":false,"parsedPolicy":{"policy":"block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;","directives":{"block-all-mixed-content":[],"frame-ancestors":["'none'"],"upgrade-insecure-requests":[]},"directiveOrder":["block-all-mixed-content","frame-ancestors","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source"}},"disposition":"enforce","source":"header","policies":["block-all-mixed-content ; frame-ancestors 'none'; upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dbe51496846fac56e6bd5","ts":"2026-02-24T15:05:53.71Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://test.2dengine.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self'; connect-src 'self' https://2dengine.com https://api.stripe.com; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='; img-src 'self' data:; font-src 'self';","directives":{"connect-src":["'self'","https://2dengine.com","https://api.stripe.com"],"default-src":["'self'"],"font-src":["'self'"],"img-src":["'self'","data:"],"script-src":["'self'"],"style-src":["'self'","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='","'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='"]},"directiveOrder":["default-src","script-src","connect-src","style-src","img-src","font-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='":"hash-source","'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='":"hash-source","data:":"scheme-source","https://2dengine.com":"host-source","https://api.stripe.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self'; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='; connect-src 'self' https://2dengine.com https://api.stripe.com; font-src 'self'; img-src 'self' data:;"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"699dbd88496846fac56e6bd4","ts":"2026-02-24T15:02:32.419Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://2dengine.de","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self'; connect-src 'self' https://2dengine.de https://api.stripe.com; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='; img-src 'self' data:; font-src 'self';","directives":{"connect-src":["'self'","https://2dengine.de","https://api.stripe.com"],"default-src":["'self'"],"font-src":["'self'"],"img-src":["'self'","data:"],"script-src":["'self'"],"style-src":["'self'","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='","'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='"]},"directiveOrder":["default-src","script-src","connect-src","style-src","img-src","font-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='":"hash-source","'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='":"hash-source","data:":"scheme-source","https://2dengine.de":"host-source","https://api.stripe.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self'; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo='; connect-src 'self' https://2dengine.de https://api.stripe.com; font-src 'self'; img-src 'self' data:;"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]}]