[{"id":"69688d96d06d0be7b2acd3e1","ts":"2026-01-15T06:47:50.122Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://drreddys.ca/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src https://cdn-prod.eu.securiti.ai https://app.eu.securiti.ai https://*.googletagmanager.com https://*.newrelic.com https://*.addtoany.com https://*.nr-data.net 'unsafe-inline' 'unsafe-eval' 'self'; object-src 'self'; style-src https://cdn-prod.eu.securiti.ai https://app.eu.securiti.ai https://*.cloudflare.com 'unsafe-inline' 'self'; frame-src https://privacy-central.eu.securiti.ai https://cdn-prod.eu.securiti.ai https://app.eu.securiti.ai https://*.addtoany.com 'self'; frame-ancestors https://privacy-central.eu.securiti.ai 'self'; child-src https://privacy-central.eu.securiti.ai 'self'; connect-src https://cdn-prod.eu.securiti.ai https://app.eu.securiti.ai https://*.google-analytics.com https://*.nr-data.net 'self'; report-uri /report-csp-violation; upgrade-insecure-requests","directives":{"child-src":["'self'","https://privacy-central.eu.securiti.ai"],"connect-src":["'self'","https://*.google-analytics.com","https://*.nr-data.net","https://app.eu.securiti.ai","https://cdn-prod.eu.securiti.ai"],"default-src":["'self'"],"frame-ancestors":["'self'","https://privacy-central.eu.securiti.ai"],"frame-src":["'self'","https://*.addtoany.com","https://app.eu.securiti.ai","https://cdn-prod.eu.securiti.ai","https://privacy-central.eu.securiti.ai"],"object-src":["'self'"],"report-uri":["/report-csp-violation"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://*.addtoany.com","https://*.googletagmanager.com","https://*.newrelic.com","https://*.nr-data.net","https://app.eu.securiti.ai","https://cdn-prod.eu.securiti.ai"],"style-src":["'self'","'unsafe-inline'","https://*.cloudflare.com","https://app.eu.securiti.ai","https://cdn-prod.eu.securiti.ai"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","object-src","style-src","frame-src","frame-ancestors","child-src","connect-src","report-uri","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","/report-csp-violation":"","https://*.addtoany.com":"host-source","https://*.cloudflare.com":"host-source","https://*.google-analytics.com":"host-source","https://*.googletagmanager.com":"host-source","https://*.newrelic.com":"host-source","https://*.nr-data.net":"host-source","https://app.eu.securiti.ai":"host-source","https://cdn-prod.eu.securiti.ai":"host-source","https://privacy-central.eu.securiti.ai":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.addtoany.com https://*.googletagmanager.com https://*.newrelic.com https://*.nr-data.net https://app.eu.securiti.ai https://cdn-prod.eu.securiti.ai; style-src 'self' 'unsafe-inline' https://*.cloudflare.com https://app.eu.securiti.ai https://cdn-prod.eu.securiti.ai; object-src 'self'; child-src 'self' https://privacy-central.eu.securiti.ai; connect-src 'self' https://*.google-analytics.com https://*.nr-data.net https://app.eu.securiti.ai https://cdn-prod.eu.securiti.ai; frame-ancestors 'self' https://privacy-central.eu.securiti.ai; frame-src 'self' https://*.addtoany.com https://app.eu.securiti.ai https://cdn-prod.eu.securiti.ai https://privacy-central.eu.securiti.ai; report-uri /report-csp-violation; upgrade-insecure-requests ;"],"stats":{"totalHigh":1,"totalMedium":8,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.newrelic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.addtoany.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.googletagmanager.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.nr-data.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://app.eu.securiti.ai","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn-prod.eu.securiti.ai","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69686b62d06d0be7b2acd3df","ts":"2026-01-15T04:21:54.364Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://staging.energyrating.gov.au/","isHidden":false,"parsedPolicy":{"policy":"script-src 'unsafe-inline' 'unsafe-eval' 'self' https://*.awswaf.com https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com www.google.com www.gstatic.com www.google-analytics.com bam.nr-data.net code.jquery.com unpkg.com; connect-src 'self' https://*.awswaf.com https://www.google-analytics.com; script-src-elem 'unsafe-inline' 'self' https://*.awswaf.com https://www.google-analytics.com https://www.gstatic.com https://www.google.com/recaptcha/ code.jquery.com unpkg.com","directives":{"connect-src":["'self'","https://*.awswaf.com","https://www.google-analytics.com"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","bam.nr-data.net","code.jquery.com","https://*.awswaf.com","https://cdn.jsdelivr.net","https://stackpath.bootstrapcdn.com","unpkg.com","www.google-analytics.com","www.google.com","www.gstatic.com"],"script-src-elem":["'self'","'unsafe-inline'","code.jquery.com","https://*.awswaf.com","https://www.google-analytics.com","https://www.google.com/recaptcha/","https://www.gstatic.com","unpkg.com"]},"directiveOrder":["script-src","connect-src","script-src-elem"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","bam.nr-data.net":"host-source","code.jquery.com":"host-source","https://*.awswaf.com":"host-source","https://cdn.jsdelivr.net":"host-source","https://stackpath.bootstrapcdn.com":"host-source","https://www.google-analytics.com":"host-source","https://www.google.com/recaptcha/":"host-source","https://www.gstatic.com":"host-source","unpkg.com":"host-source","www.google-analytics.com":"host-source","www.google.com":"host-source","www.gstatic.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' 'unsafe-eval' 'unsafe-inline' bam.nr-data.net code.jquery.com https://*.awswaf.com https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com unpkg.com www.google-analytics.com www.google.com www.gstatic.com; script-src-elem 'self' 'unsafe-inline' code.jquery.com https://*.awswaf.com https://www.google-analytics.com https://www.google.com/recaptcha/ https://www.gstatic.com unpkg.com; connect-src 'self' https://*.awswaf.com https://www.google-analytics.com;"],"stats":{"totalHigh":2,"totalMedium":12,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.jsdelivr.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://stackpath.bootstrapcdn.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.awswaf.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"bam.nr-data.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"code.jquery.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"unpkg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"script-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69686b001f204e44ef80eaaf","ts":"2026-01-15T04:20:16.764Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://reg.energyrating.gov.au/","isHidden":false,"parsedPolicy":{"policy":"script-src 'unsafe-inline' 'unsafe-eval' 'self' https://*.awswaf.com https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com www.google.com www.gstatic.com www.google-analytics.com bam.nr-data.net code.jquery.com unpkg.com; connect-src 'self' https://*.awswaf.com https://www.google-analytics.com; script-src-elem 'unsafe-inline' 'self' https://*.awswaf.com https://www.google-analytics.com https://www.gstatic.com https://www.google.com/recaptcha/ code.jquery.com unpkg.com","directives":{"connect-src":["'self'","https://*.awswaf.com","https://www.google-analytics.com"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","bam.nr-data.net","code.jquery.com","https://*.awswaf.com","https://cdn.jsdelivr.net","https://stackpath.bootstrapcdn.com","unpkg.com","www.google-analytics.com","www.google.com","www.gstatic.com"],"script-src-elem":["'self'","'unsafe-inline'","code.jquery.com","https://*.awswaf.com","https://www.google-analytics.com","https://www.google.com/recaptcha/","https://www.gstatic.com","unpkg.com"]},"directiveOrder":["script-src","connect-src","script-src-elem"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","bam.nr-data.net":"host-source","code.jquery.com":"host-source","https://*.awswaf.com":"host-source","https://cdn.jsdelivr.net":"host-source","https://stackpath.bootstrapcdn.com":"host-source","https://www.google-analytics.com":"host-source","https://www.google.com/recaptcha/":"host-source","https://www.gstatic.com":"host-source","unpkg.com":"host-source","www.google-analytics.com":"host-source","www.google.com":"host-source","www.gstatic.com":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'self' 'unsafe-eval' 'unsafe-inline' bam.nr-data.net code.jquery.com https://*.awswaf.com https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com unpkg.com www.google-analytics.com www.google.com www.gstatic.com; script-src-elem 'self' 'unsafe-inline' code.jquery.com https://*.awswaf.com https://www.google-analytics.com https://www.google.com/recaptcha/ https://www.gstatic.com unpkg.com; connect-src 'self' https://*.awswaf.com https://www.google-analytics.com;"],"stats":{"totalHigh":2,"totalMedium":12,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.jsdelivr.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://stackpath.bootstrapcdn.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.awswaf.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"bam.nr-data.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"code.jquery.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"unpkg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"script-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"696856561f204e44ef80eaad","ts":"2026-01-15T02:52:06.126Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://payments.xfinity.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self' *.xfinity.com *.comcast.net *.iperceptions.com yzxoc3kd30.execute-api.us-east-2.amazonaws.com dsm-stg.csw.xfinity.com dsm.csw.xfinity.com csp-stg.codebig2.net csp-preprod.codebig2.net csp-dev.codebig2.net nxa8wludkf.execute-api.us-west-2.amazonaws.com csp-prod.codebig2.net *.flashtalking.com cdn.comcast.com cdn-prod.securiti.ai app.securiti.ai; script-src 'self' 'unsafe-inline' 'unsafe-eval' yzxoc3kd30.execute-api.us-east-2.amazonaws.com dsm-stg.csw.xfinity.com dsm.csw.xfinity.com csp-stg.codebig2.net csp-preprod.codebig2.net csp-dev.codebig2.net nxa8wludkf.execute-api.us-west-2.amazonaws.com csp-prod.codebig2.net *.xfinity.com *.comcast.net *.iperceptions.com *.nd.nudatasecurity.com assets.adobedtm.com connect.facebook.net bat.bing.com assets-ssl.cdn.spongecell.com js.dmtry.com js-agent.newrelic.com ajax.googleapis.com www.google-analytics.com *.googletagmanager.com *.googleadservices.com *.doubleclick.net *.google.com aa.agkn.com comcastcom.d1.sc.omtrdc.net *.vo.msecnd.net c1.rfihub.net bam.nr-data.net *.demdex.net *.rfihub.com *.tt.omtrdc.net marketing.adobe.com art.azureedge.net *.pulseinsights.com *.appdynamics.com *.flashtalking.com cdn.comcast.com static.cimcontent.net cdn.userreplay.net cdn.quantummetric.com assets-ssl.cdn.spongecell.com static.ads-twitter.com comcast.inq.com analytics.twitter.com *.inq.com *.impactradius-event.com cdn-prod.securiti.ai app.securiti.ai external.quantummetric.com comcast.quantummetric.com cdn.cookielaw.org assets.xfinity.com; img-src 'self' http://*.xfinity.com http://*.comcast.net *.xfinity.com *.comcast.net *.cimcontent.net data: yzxoc3kd30.execute-api.us-east-2.amazonaws.com dsm-stg.csw.xfinity.com dsm.csw.xfinity.com csp-stg.codebig2.net csp-preprod.codebig2.net csp-dev.codebig2.net nxa8wludkf.execute-api.us-west-2.amazonaws.com csp-prod.codebig2.net *.xfinity.com *.comcast.net *.iperceptions.com joust.cimcontent.net secure.leadback.advertising.com *.facebook.com bat.bing.com *.spongecell.com *.dmtry.com www.google-analytics.com *.googletagmanager.com *.googleadservices.com *.google.com *.demdex.net *.doubleclick.net comcastcom.d1.sc.omtrdc.net *.tt.omtrdc.net marketing.adobe.com *.nd.nudatasecurity.com *.everesttech.net *.eum-appdynamics.com *.flashtalking.com t.co cdn.comcast.com cdn-prod.securiti.ai app.securiti.ai cdn.cookielaw.org; style-src 'self' 'unsafe-inline' *.xfinity.com *.comcast.net *.cimcontent.net *.tt.omtrdc.net marketing.adobe.com *.iperceptions.com cdn.comcast.com cdn-prod.securiti.ai app.securiti.ai external.quantummetric.com comcast.quantummetric.com cdn.cookielaw.org; connect-src 'self' yzxoc3kd30.execute-api.us-east-2.amazonaws.com dsm-stg.csw.xfinity.com dsm.csw.xfinity.com csp-stg.codebig2.net csp-preprod.codebig2.net csp-dev.codebig2.net nxa8wludkf.execute-api.us-west-2.amazonaws.com csp-prod.codebig2.net *.xfinity.com *.comcast.net dpm.demdex.net *.iperceptions.com *.tt.omtrdc.net ajax.googleapis.com marketing.adobe.com comcastcom.d1.sc.omtrdc.net *.googletagmanager.com *.googleadservices.com *.doubleclick.net *.google.com bam.nr-data.net *.eum-appdynamics.com comcast-app.quantummetric.com *.userreplay.net cdn.comcast.com cdn-prod.securiti.ai app.securiti.ai comcast-sync.quantummetric.com rl.quantummetric.com cdn.quantummetric.com comcast.quantummetric.com ingest.quantummetric.com cdn.cookielaw.org geolocation.onetrust.com comcast-privacy.my.onetrust.com col.eum-appdynamics.com letzchat.pro letzchat.com; frame-src 'self' *.xfinity.com *.comcast.net assets.adobedtm.com *.fls.doubleclick.net *.iperceptions.com comcast.demdex.net *.rfihub.com *.tt.omtrdc.net marketing.adobe.com *.doubleclick.net *.facebook.com *.flashtalking.com cdn.userreplay.net cdn.quantummetric.com external.quantummetric.com comcast.quantummetric.com; font-src 'self' data: *.xfinity.com *.comcast.net *.cimcontent.net *.iperceptions.com *.tt.omtrdc.net marketing.adobe.com cdn.comcast.com cdn-prod.securiti.ai app.securiti.ai; media-src 'self' *.xfinity.com *.comcast.net *.cimcontent.net data: *.nd.nudatasecurity.com *.iperceptions.com;","directives":{"connect-src":["'self'","*.comcast.net","*.doubleclick.net","*.eum-appdynamics.com","*.google.com","*.googleadservices.com","*.googletagmanager.com","*.iperceptions.com","*.tt.omtrdc.net","*.userreplay.net","*.xfinity.com","ajax.googleapis.com","app.securiti.ai","bam.nr-data.net","cdn-prod.securiti.ai","cdn.comcast.com","cdn.cookielaw.org","cdn.quantummetric.com","col.eum-appdynamics.com","comcast-app.quantummetric.com","comcast-privacy.my.onetrust.com","comcast-sync.quantummetric.com","comcast.quantummetric.com","comcastcom.d1.sc.omtrdc.net","csp-dev.codebig2.net","csp-preprod.codebig2.net","csp-prod.codebig2.net","csp-stg.codebig2.net","dpm.demdex.net","dsm-stg.csw.xfinity.com","dsm.csw.xfinity.com","geolocation.onetrust.com","ingest.quantummetric.com","letzchat.com","letzchat.pro","marketing.adobe.com","nxa8wludkf.execute-api.us-west-2.amazonaws.com","rl.quantummetric.com","yzxoc3kd30.execute-api.us-east-2.amazonaws.com"],"default-src":["'self'","*.comcast.net","*.flashtalking.com","*.iperceptions.com","*.xfinity.com","app.securiti.ai","cdn-prod.securiti.ai","cdn.comcast.com","csp-dev.codebig2.net","csp-preprod.codebig2.net","csp-prod.codebig2.net","csp-stg.codebig2.net","dsm-stg.csw.xfinity.com","dsm.csw.xfinity.com","nxa8wludkf.execute-api.us-west-2.amazonaws.com","yzxoc3kd30.execute-api.us-east-2.amazonaws.com"],"font-src":["'self'","*.cimcontent.net","*.comcast.net","*.iperceptions.com","*.tt.omtrdc.net","*.xfinity.com","app.securiti.ai","cdn-prod.securiti.ai","cdn.comcast.com","data:","marketing.adobe.com"],"frame-src":["'self'","*.comcast.net","*.doubleclick.net","*.facebook.com","*.flashtalking.com","*.fls.doubleclick.net","*.iperceptions.com","*.rfihub.com","*.tt.omtrdc.net","*.xfinity.com","assets.adobedtm.com","cdn.quantummetric.com","cdn.userreplay.net","comcast.demdex.net","comcast.quantummetric.com","external.quantummetric.com","marketing.adobe.com"],"img-src":["'self'","*.cimcontent.net","*.comcast.net","*.comcast.net","*.demdex.net","*.dmtry.com","*.doubleclick.net","*.eum-appdynamics.com","*.everesttech.net","*.facebook.com","*.flashtalking.com","*.google.com","*.googleadservices.com","*.googletagmanager.com","*.iperceptions.com","*.nd.nudatasecurity.com","*.spongecell.com","*.tt.omtrdc.net","*.xfinity.com","*.xfinity.com","app.securiti.ai","bat.bing.com","cdn-prod.securiti.ai","cdn.comcast.com","cdn.cookielaw.org","comcastcom.d1.sc.omtrdc.net","csp-dev.codebig2.net","csp-preprod.codebig2.net","csp-prod.codebig2.net","csp-stg.codebig2.net","data:","dsm-stg.csw.xfinity.com","dsm.csw.xfinity.com","http://*.comcast.net","http://*.xfinity.com","joust.cimcontent.net","marketing.adobe.com","nxa8wludkf.execute-api.us-west-2.amazonaws.com","secure.leadback.advertising.com","t.co","www.google-analytics.com","yzxoc3kd30.execute-api.us-east-2.amazonaws.com"],"media-src":["'self'","*.cimcontent.net","*.comcast.net","*.iperceptions.com","*.nd.nudatasecurity.com","*.xfinity.com","data:"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","*.appdynamics.com","*.comcast.net","*.demdex.net","*.doubleclick.net","*.flashtalking.com","*.google.com","*.googleadservices.com","*.googletagmanager.com","*.impactradius-event.com","*.inq.com","*.iperceptions.com","*.nd.nudatasecurity.com","*.pulseinsights.com","*.rfihub.com","*.tt.omtrdc.net","*.vo.msecnd.net","*.xfinity.com","aa.agkn.com","ajax.googleapis.com","analytics.twitter.com","app.securiti.ai","art.azureedge.net","assets-ssl.cdn.spongecell.com","assets-ssl.cdn.spongecell.com","assets.adobedtm.com","assets.xfinity.com","bam.nr-data.net","bat.bing.com","c1.rfihub.net","cdn-prod.securiti.ai","cdn.comcast.com","cdn.cookielaw.org","cdn.quantummetric.com","cdn.userreplay.net","comcast.inq.com","comcast.quantummetric.com","comcastcom.d1.sc.omtrdc.net","connect.facebook.net","csp-dev.codebig2.net","csp-preprod.codebig2.net","csp-prod.codebig2.net","csp-stg.codebig2.net","dsm-stg.csw.xfinity.com","dsm.csw.xfinity.com","external.quantummetric.com","js-agent.newrelic.com","js.dmtry.com","marketing.adobe.com","nxa8wludkf.execute-api.us-west-2.amazonaws.com","static.ads-twitter.com","static.cimcontent.net","www.google-analytics.com","yzxoc3kd30.execute-api.us-east-2.amazonaws.com"],"style-src":["'self'","'unsafe-inline'","*.cimcontent.net","*.comcast.net","*.iperceptions.com","*.tt.omtrdc.net","*.xfinity.com","app.securiti.ai","cdn-prod.securiti.ai","cdn.comcast.com","cdn.cookielaw.org","comcast.quantummetric.com","external.quantummetric.com","marketing.adobe.com"]},"directiveOrder":["default-src","script-src","img-src","style-src","connect-src","frame-src","font-src","media-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","*.appdynamics.com":"host-source","*.cimcontent.net":"host-source","*.comcast.net":"host-source","*.demdex.net":"host-source","*.dmtry.com":"host-source","*.doubleclick.net":"host-source","*.eum-appdynamics.com":"host-source","*.everesttech.net":"host-source","*.facebook.com":"host-source","*.flashtalking.com":"host-source","*.fls.doubleclick.net":"host-source","*.google.com":"host-source","*.googleadservices.com":"host-source","*.googletagmanager.com":"host-source","*.impactradius-event.com":"host-source","*.inq.com":"host-source","*.iperceptions.com":"host-source","*.nd.nudatasecurity.com":"host-source","*.pulseinsights.com":"host-source","*.rfihub.com":"host-source","*.spongecell.com":"host-source","*.tt.omtrdc.net":"host-source","*.userreplay.net":"host-source","*.vo.msecnd.net":"host-source","*.xfinity.com":"host-source","aa.agkn.com":"host-source","ajax.googleapis.com":"host-source","analytics.twitter.com":"host-source","app.securiti.ai":"host-source","art.azureedge.net":"host-source","assets-ssl.cdn.spongecell.com":"host-source","assets.adobedtm.com":"host-source","assets.xfinity.com":"host-source","bam.nr-data.net":"host-source","bat.bing.com":"host-source","c1.rfihub.net":"host-source","cdn-prod.securiti.ai":"host-source","cdn.comcast.com":"host-source","cdn.cookielaw.org":"host-source","cdn.quantummetric.com":"host-source","cdn.userreplay.net":"host-source","col.eum-appdynamics.com":"host-source","comcast-app.quantummetric.com":"host-source","comcast-privacy.my.onetrust.com":"host-source","comcast-sync.quantummetric.com":"host-source","comcast.demdex.net":"host-source","comcast.inq.com":"host-source","comcast.quantummetric.com":"host-source","comcastcom.d1.sc.omtrdc.net":"host-source","connect.facebook.net":"host-source","csp-dev.codebig2.net":"host-source","csp-preprod.codebig2.net":"host-source","csp-prod.codebig2.net":"host-source","csp-stg.codebig2.net":"host-source","data:":"scheme-source","dpm.demdex.net":"host-source","dsm-stg.csw.xfinity.com":"host-source","dsm.csw.xfinity.com":"host-source","external.quantummetric.com":"host-source","geolocation.onetrust.com":"host-source","http://*.comcast.net":"host-source","http://*.xfinity.com":"host-source","ingest.quantummetric.com":"host-source","joust.cimcontent.net":"host-source","js-agent.newrelic.com":"host-source","js.dmtry.com":"host-source","letzchat.com":"host-source","letzchat.pro":"host-source","marketing.adobe.com":"host-source","nxa8wludkf.execute-api.us-west-2.amazonaws.com":"host-source","rl.quantummetric.com":"host-source","secure.leadback.advertising.com":"host-source","static.ads-twitter.com":"host-source","static.cimcontent.net":"host-source","t.co":"host-source","www.google-analytics.com":"host-source","yzxoc3kd30.execute-api.us-east-2.amazonaws.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' *.comcast.net *.flashtalking.com *.iperceptions.com *.xfinity.com app.securiti.ai cdn-prod.securiti.ai cdn.comcast.com csp-dev.codebig2.net csp-preprod.codebig2.net csp-prod.codebig2.net csp-stg.codebig2.net dsm-stg.csw.xfinity.com dsm.csw.xfinity.com nxa8wludkf.execute-api.us-west-2.amazonaws.com yzxoc3kd30.execute-api.us-east-2.amazonaws.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.appdynamics.com *.comcast.net *.demdex.net *.doubleclick.net *.flashtalking.com *.google.com *.googleadservices.com *.googletagmanager.com *.impactradius-event.com *.inq.com *.iperceptions.com *.nd.nudatasecurity.com *.pulseinsights.com *.rfihub.com *.tt.omtrdc.net *.vo.msecnd.net *.xfinity.com aa.agkn.com ajax.googleapis.com analytics.twitter.com app.securiti.ai art.azureedge.net assets-ssl.cdn.spongecell.com assets.adobedtm.com assets.xfinity.com bam.nr-data.net bat.bing.com c1.rfihub.net cdn-prod.securiti.ai cdn.comcast.com cdn.cookielaw.org cdn.quantummetric.com cdn.userreplay.net comcast.inq.com comcast.quantummetric.com comcastcom.d1.sc.omtrdc.net connect.facebook.net csp-dev.codebig2.net csp-preprod.codebig2.net csp-prod.codebig2.net csp-stg.codebig2.net dsm-stg.csw.xfinity.com dsm.csw.xfinity.com external.quantummetric.com js-agent.newrelic.com js.dmtry.com marketing.adobe.com nxa8wludkf.execute-api.us-west-2.amazonaws.com static.ads-twitter.com static.cimcontent.net www.google-analytics.com yzxoc3kd30.execute-api.us-east-2.amazonaws.com; style-src 'self' 'unsafe-inline' *.cimcontent.net *.comcast.net *.iperceptions.com *.tt.omtrdc.net *.xfinity.com app.securiti.ai cdn-prod.securiti.ai cdn.comcast.com cdn.cookielaw.org comcast.quantummetric.com external.quantummetric.com marketing.adobe.com; connect-src 'self' *.comcast.net *.doubleclick.net *.eum-appdynamics.com *.google.com *.googleadservices.com *.googletagmanager.com *.iperceptions.com *.tt.omtrdc.net *.userreplay.net *.xfinity.com ajax.googleapis.com app.securiti.ai bam.nr-data.net cdn-prod.securiti.ai cdn.comcast.com cdn.cookielaw.org cdn.quantummetric.com col.eum-appdynamics.com comcast-app.quantummetric.com comcast-privacy.my.onetrust.com comcast-sync.quantummetric.com comcast.quantummetric.com comcastcom.d1.sc.omtrdc.net csp-dev.codebig2.net csp-preprod.codebig2.net csp-prod.codebig2.net csp-stg.codebig2.net dpm.demdex.net dsm-stg.csw.xfinity.com dsm.csw.xfinity.com geolocation.onetrust.com ingest.quantummetric.com letzchat.com letzchat.pro marketing.adobe.com nxa8wludkf.execute-api.us-west-2.amazonaws.com rl.quantummetric.com yzxoc3kd30.execute-api.us-east-2.amazonaws.com; font-src 'self' *.cimcontent.net *.comcast.net *.iperceptions.com *.tt.omtrdc.net *.xfinity.com app.securiti.ai cdn-prod.securiti.ai cdn.comcast.com data: marketing.adobe.com; frame-src 'self' *.comcast.net *.doubleclick.net *.facebook.com *.flashtalking.com *.fls.doubleclick.net *.iperceptions.com *.rfihub.com *.tt.omtrdc.net *.xfinity.com assets.adobedtm.com cdn.quantummetric.com cdn.userreplay.net comcast.demdex.net comcast.quantummetric.com external.quantummetric.com marketing.adobe.com; img-src 'self' *.cimcontent.net *.comcast.net *.demdex.net *.dmtry.com *.doubleclick.net *.eum-appdynamics.com *.everesttech.net *.facebook.com *.flashtalking.com *.google.com *.googleadservices.com *.googletagmanager.com *.iperceptions.com *.nd.nudatasecurity.com *.spongecell.com *.tt.omtrdc.net *.xfinity.com app.securiti.ai bat.bing.com cdn-prod.securiti.ai cdn.comcast.com cdn.cookielaw.org comcastcom.d1.sc.omtrdc.net csp-dev.codebig2.net csp-preprod.codebig2.net csp-prod.codebig2.net csp-stg.codebig2.net data: dsm-stg.csw.xfinity.com dsm.csw.xfinity.com http://*.comcast.net http://*.xfinity.com joust.cimcontent.net marketing.adobe.com nxa8wludkf.execute-api.us-west-2.amazonaws.com secure.leadback.advertising.com t.co www.google-analytics.com yzxoc3kd30.execute-api.us-east-2.amazonaws.com; media-src 'self' *.cimcontent.net *.comcast.net *.iperceptions.com *.nd.nudatasecurity.com *.xfinity.com data:;"],"stats":{"totalHigh":1,"totalMedium":62,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.appdynamics.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.comcast.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.demdex.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.doubleclick.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.flashtalking.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.google.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.googleadservices.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.googletagmanager.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.impactradius-event.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.inq.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.iperceptions.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.nd.nudatasecurity.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.pulseinsights.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.rfihub.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.tt.omtrdc.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.vo.msecnd.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.xfinity.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.comcast.net","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.flashtalking.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.iperceptions.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"*.xfinity.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"aa.agkn.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"ajax.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"analytics.twitter.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"app.securiti.ai","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"art.azureedge.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets-ssl.cdn.spongecell.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.adobedtm.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"assets.xfinity.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"bam.nr-data.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"bat.bing.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"c1.rfihub.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn-prod.securiti.ai","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.comcast.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.cookielaw.org","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.quantummetric.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"cdn.userreplay.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"comcast.inq.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"comcast.quantummetric.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"comcastcom.d1.sc.omtrdc.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"connect.facebook.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"csp-dev.codebig2.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"csp-preprod.codebig2.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"csp-prod.codebig2.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"csp-stg.codebig2.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"dsm-stg.csw.xfinity.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"dsm.csw.xfinity.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"external.quantummetric.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"js-agent.newrelic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"js.dmtry.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"marketing.adobe.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"nxa8wludkf.execute-api.us-west-2.amazonaws.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"static.ads-twitter.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"static.cimcontent.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"yzxoc3kd30.execute-api.us-east-2.amazonaws.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"img-src","source":"http://*.comcast.net","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"img-src","source":"http://*.xfinity.com","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"696823581f204e44ef80eaa0","ts":"2026-01-14T23:14:32.37Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://wjhattorneys.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'report-sample' 'self' https://www.googletagmanager.com/gtag/js google-analytics.com googletagmanager.com; style-src 'report-sample' 'self' 'unsafe-inline' https://p.typekit.net https://use.typekit.net; object-src 'none'; base-uri 'self'; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' https://use.typekit.net; frame-src 'self'; img-src 'self' https://www.googletagmanager.com; manifest-src 'self'; media-src 'self'; worker-src 'none';","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://www.google-analytics.com","https://www.googletagmanager.com"],"default-src":["'self'"],"font-src":["'self'","https://use.typekit.net"],"frame-src":["'self'"],"img-src":["'self'","https://www.googletagmanager.com"],"manifest-src":["'self'"],"media-src":["'self'"],"object-src":["'none'"],"script-src":["'report-sample'","'self'","google-analytics.com","googletagmanager.com","https://www.googletagmanager.com/gtag/js"],"style-src":["'report-sample'","'self'","'unsafe-inline'","https://p.typekit.net","https://use.typekit.net"],"worker-src":["'none'"]},"directiveOrder":["default-src","script-src","style-src","object-src","base-uri","connect-src","font-src","frame-src","img-src","manifest-src","media-src","worker-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","google-analytics.com":"host-source","googletagmanager.com":"host-source","https://p.typekit.net":"host-source","https://use.typekit.net":"host-source","https://www.google-analytics.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.googletagmanager.com/gtag/js":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self' google-analytics.com googletagmanager.com https://www.googletagmanager.com/gtag/js; style-src 'report-sample' 'self' 'unsafe-inline' https://p.typekit.net https://use.typekit.net; object-src 'none'; base-uri 'self'; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self' https://use.typekit.net; frame-src 'self'; img-src 'self' https://www.googletagmanager.com; manifest-src 'self'; media-src 'self'; worker-src 'none';"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"}]},{"id":"696813c81f204e44ef80ea9e","ts":"2026-01-14T22:08:08.368Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://live.acemetrix.com/assets/video/mp4/null/best","isHidden":false,"parsedPolicy":{"policy":"frame-ancestors none","directives":{"frame-ancestors":["none"]},"directiveOrder":["frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"none":"keyword-source"}},"disposition":"enforce","source":"header","policies":["frame-ancestors 'none';"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69680bce1f204e44ef80ea9d","ts":"2026-01-14T21:34:06.707Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://sites.google.com/","isHidden":false,"parsedPolicy":{"policy":"script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://ajax.googleapis.com/ajax/libs/jquery/3.6.4/jquery.min.js https://translate.google.com/translate_a/element.js https://www.google.com/recaptcha/api.js https://www.google.com/recaptcha/enterprise.js https://www.gstatic.com/recaptcha/ https://www.google.com/tools/feedback/chat_load.js https://www.google.com/tools/feedback/help_api.js https://www.google.com/tools/feedback/load.js https://www.google.com/tools/feedback/open.js https://www.google.com/tools/feedback/open_to_help_guide_lazy.js https://www.gstatic.com/feedback/js/ https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js https://www.gstatic.com/inproduct_help/api/main.min.js https://www.gstatic.com/inproduct_help/chatsupport/chatsupport_button_v2.js https://www.gstatic.com/inproduct_help/service/lazy.min.js https://www.gstatic.com/uservoice/feedback/client/web/live/ https://www.gstatic.com/uservoice/surveys/resources/prod/js/survey/ https://www.gstatic.com/_/mss/boq-one-google/_/ https://www.gstatic.com/og/_/js/ https://apis.google.com/js/api.js https://apis.google.com/js/client.js https://www.googletagmanager.com/gtag/js https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/destination https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_US.4D-r311EU0U.es5.O/ https://apis.google.com/_/scs/abc-static/_/js/ https://translate.googleapis.com/_/translate_http/_/js/ https://www.gstatic.com/recaptcha/releases/;report-uri /v3/signin/_/AccountsSignInUi/cspreport/fine-allowlist","directives":{"report-uri":["/v3/signin/_/AccountsSignInUi/cspreport/fine-allowlist"],"script-src":["'unsafe-eval'","'unsafe-inline'","blob:","data:","https://ajax.googleapis.com/ajax/libs/jquery/3.6.4/jquery.min.js","https://apis.google.com/_/scs/abc-static/_/js/","https://apis.google.com/js/api.js","https://apis.google.com/js/client.js","https://translate.google.com/translate_a/element.js","https://translate.googleapis.com/_/translate_http/_/js/","https://www.google-analytics.com/analytics.js","https://www.google.com/recaptcha/api.js","https://www.google.com/recaptcha/enterprise.js","https://www.google.com/tools/feedback/chat_load.js","https://www.google.com/tools/feedback/help_api.js","https://www.google.com/tools/feedback/load.js","https://www.google.com/tools/feedback/open.js","https://www.google.com/tools/feedback/open_to_help_guide_lazy.js","https://www.googletagmanager.com/gtag/destination","https://www.googletagmanager.com/gtag/js","https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_US.4D-r311EU0U.es5.O/","https://www.gstatic.com/_/mss/boq-one-google/_/","https://www.gstatic.com/feedback/js/","https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js","https://www.gstatic.com/inproduct_help/api/main.min.js","https://www.gstatic.com/inproduct_help/chatsupport/chatsupport_button_v2.js","https://www.gstatic.com/inproduct_help/service/lazy.min.js","https://www.gstatic.com/og/_/js/","https://www.gstatic.com/recaptcha/","https://www.gstatic.com/recaptcha/releases/","https://www.gstatic.com/uservoice/feedback/client/web/live/","https://www.gstatic.com/uservoice/surveys/resources/prod/js/survey/"]},"directiveOrder":["script-src","report-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","/v3/signin/_/AccountsSignInUi/cspreport/fine-allowlist":"","blob:":"scheme-source","data:":"scheme-source","https://ajax.googleapis.com/ajax/libs/jquery/3.6.4/jquery.min.js":"host-source","https://apis.google.com/_/scs/abc-static/_/js/":"host-source","https://apis.google.com/js/api.js":"host-source","https://apis.google.com/js/client.js":"host-source","https://translate.google.com/translate_a/element.js":"host-source","https://translate.googleapis.com/_/translate_http/_/js/":"host-source","https://www.google-analytics.com/analytics.js":"host-source","https://www.google.com/recaptcha/api.js":"host-source","https://www.google.com/recaptcha/enterprise.js":"host-source","https://www.google.com/tools/feedback/chat_load.js":"host-source","https://www.google.com/tools/feedback/help_api.js":"host-source","https://www.google.com/tools/feedback/load.js":"host-source","https://www.google.com/tools/feedback/open.js":"host-source","https://www.google.com/tools/feedback/open_to_help_guide_lazy.js":"host-source","https://www.googletagmanager.com/gtag/destination":"host-source","https://www.googletagmanager.com/gtag/js":"host-source","https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_US.4D-r311EU0U.es5.O/":"host-source","https://www.gstatic.com/_/mss/boq-one-google/_/":"host-source","https://www.gstatic.com/feedback/js/":"host-source","https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js":"host-source","https://www.gstatic.com/inproduct_help/api/main.min.js":"host-source","https://www.gstatic.com/inproduct_help/chatsupport/chatsupport_button_v2.js":"host-source","https://www.gstatic.com/inproduct_help/service/lazy.min.js":"host-source","https://www.gstatic.com/og/_/js/":"host-source","https://www.gstatic.com/recaptcha/":"host-source","https://www.gstatic.com/recaptcha/releases/":"host-source","https://www.gstatic.com/uservoice/feedback/client/web/live/":"host-source","https://www.gstatic.com/uservoice/surveys/resources/prod/js/survey/":"host-source"}},"disposition":"report","source":"header","policies":["script-src 'unsafe-eval' 'unsafe-inline' blob: data: https://ajax.googleapis.com/ajax/libs/jquery/3.6.4/jquery.min.js https://apis.google.com/_/scs/abc-static/_/js/ https://apis.google.com/js/api.js https://apis.google.com/js/client.js https://translate.google.com/translate_a/element.js https://translate.googleapis.com/_/translate_http/_/js/ https://www.google-analytics.com/analytics.js https://www.google.com/recaptcha/api.js https://www.google.com/recaptcha/enterprise.js https://www.google.com/tools/feedback/chat_load.js https://www.google.com/tools/feedback/help_api.js https://www.google.com/tools/feedback/load.js https://www.google.com/tools/feedback/open.js https://www.google.com/tools/feedback/open_to_help_guide_lazy.js https://www.googletagmanager.com/gtag/destination https://www.googletagmanager.com/gtag/js https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_US.4D-r311EU0U.es5.O/ https://www.gstatic.com/_/mss/boq-one-google/_/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js https://www.gstatic.com/inproduct_help/api/main.min.js https://www.gstatic.com/inproduct_help/chatsupport/chatsupport_button_v2.js https://www.gstatic.com/inproduct_help/service/lazy.min.js https://www.gstatic.com/og/_/js/ https://www.gstatic.com/recaptcha/ https://www.gstatic.com/recaptcha/releases/ https://www.gstatic.com/uservoice/feedback/client/web/live/ https://www.gstatic.com/uservoice/surveys/resources/prod/js/survey/; report-uri /v3/signin/_/AccountsSignInUi/cspreport/fine-allowlist;"],"stats":{"totalHigh":3,"totalMedium":2,"totalLow":5,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"data:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"script-src","source":"https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"script-src","source":"https://www.gstatic.com/recaptcha/releases/","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69680bb9d06d0be7b2acd3d2","ts":"2026-01-14T21:33:45.439Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.google.com/","isHidden":false,"parsedPolicy":{"policy":"object-src 'none';base-uri 'self';script-src 'nonce-llrNrp7Iexk21uz-rG371A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp","directives":{"base-uri":["'self'"],"object-src":["'none'"],"report-uri":["https://csp.withgoogle.com/csp/gws/other-hp"],"script-src":["'nonce-llrNrp7Iexk21uz-rG371A'","'report-sample'","'strict-dynamic'","'unsafe-eval'","'unsafe-inline'","http:","https:"]},"directiveOrder":["object-src","base-uri","script-src","report-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'nonce-llrNrp7Iexk21uz-rG371A'":"nonce-source","'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'strict-dynamic'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","http:":"scheme-source","https:":"scheme-source","https://csp.withgoogle.com/csp/gws/other-hp":"host-source"}},"disposition":"report","source":"header","policies":["script-src 'nonce-llrNrp7Iexk21uz-rG371A' 'report-sample' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' http: https:; object-src 'none'; base-uri 'self'; report-uri https://csp.withgoogle.com/csp/gws/other-hp;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":2,"totalInfo":1},"recommendations":[{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"http:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"script-src","source":"https:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"unsafe-inline is ignored when using nonces or hashes as a source","severity":"INFO","directive":"script-src","source":"unsafe-inline","message":"The usage of nonces and hashes means the policy ignores unsafe-inline. This can impact usability if you haven't whitelisted all inline script","recommendation":"","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"69680b57d06d0be7b2acd3d1","ts":"2026-01-14T21:32:07.536Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://csper.io/evaluator","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'report-sample' 'self' http://www.googletagmanager.com/gtag/js https://assets.csper.io  https://js.stripe.com/v3/  https://www.google-analytics.com/analytics.js https://www.google-analytics.com/plugins/ua/ec.js https://www.googletagmanager.com/gtag/js ; style-src 'report-sample' 'self' 'unsafe-inline' https://assets.csper.io; object-src 'none'; base-uri 'self'; connect-src 'self' https://assets.csper.io https://clouderrorreporting.googleapis.com  https://stats.g.doubleclick.net https://www.google-analytics.com wss://csper.io https://js.stripe.com/v3/; font-src 'self' data: https://fonts.gstatic.com; frame-src 'self' https://charts.mongodb.com https://js.stripe.com https://www.youtube.com; img-src 'self' data: https:; report-uri https://csper-prod.endpoint.csper.io?v=2;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://assets.csper.io","https://clouderrorreporting.googleapis.com","https://js.stripe.com/v3/","https://stats.g.doubleclick.net","https://www.google-analytics.com","wss://csper.io"],"default-src":["'self'"],"font-src":["'self'","data:","https://fonts.gstatic.com"],"frame-src":["'self'","https://charts.mongodb.com","https://js.stripe.com","https://www.youtube.com"],"img-src":["'self'","data:","https:"],"object-src":["'none'"],"report-uri":["https://csper-prod.endpoint.csper.io?v=2"],"script-src":["'report-sample'","'self'","http://www.googletagmanager.com/gtag/js","https://assets.csper.io","https://js.stripe.com/v3/","https://www.google-analytics.com/analytics.js","https://www.google-analytics.com/plugins/ua/ec.js","https://www.googletagmanager.com/gtag/js"],"style-src":["'report-sample'","'self'","'unsafe-inline'","https://assets.csper.io"]},"directiveOrder":["default-src","script-src","style-src","object-src","base-uri","connect-src","font-src","frame-src","img-src","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","http://www.googletagmanager.com/gtag/js":"host-source","https:":"scheme-source","https://assets.csper.io":"host-source","https://charts.mongodb.com":"host-source","https://clouderrorreporting.googleapis.com":"host-source","https://csper-prod.endpoint.csper.io?v=2":"","https://fonts.gstatic.com":"host-source","https://js.stripe.com":"host-source","https://js.stripe.com/v3/":"host-source","https://stats.g.doubleclick.net":"host-source","https://www.google-analytics.com":"host-source","https://www.google-analytics.com/analytics.js":"host-source","https://www.google-analytics.com/plugins/ua/ec.js":"host-source","https://www.googletagmanager.com/gtag/js":"host-source","https://www.youtube.com":"host-source","wss://csper.io":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self' http://www.googletagmanager.com/gtag/js https://assets.csper.io https://js.stripe.com/v3/ https://www.google-analytics.com/analytics.js https://www.google-analytics.com/plugins/ua/ec.js https://www.googletagmanager.com/gtag/js; style-src 'report-sample' 'self' 'unsafe-inline' https://assets.csper.io; object-src 'none'; base-uri 'self'; connect-src 'self' https://assets.csper.io https://clouderrorreporting.googleapis.com https://js.stripe.com/v3/ https://stats.g.doubleclick.net https://www.google-analytics.com wss://csper.io; font-src 'self' data: https://fonts.gstatic.com; frame-src 'self' https://charts.mongodb.com https://js.stripe.com https://www.youtube.com; img-src 'self' data: https:; report-uri https://csper-prod.endpoint.csper.io?v=2;"],"stats":{"totalHigh":0,"totalMedium":2,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://assets.csper.io","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"script-src","source":"http://www.googletagmanager.com/gtag/js","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"}]},{"id":"696803251f204e44ef80ea9c","ts":"2026-01-14T20:57:09.906Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://customernode.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' wss://customernode.com; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; report-uri /csp-report;","directives":{"base-uri":["'self'"],"connect-src":["'self'","wss://customernode.com"],"default-src":["'none'"],"font-src":["'self'"],"form-action":["'self'"],"frame-ancestors":["'none'"],"frame-src":["'self'"],"img-src":["'self'","data:"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["/csp-report"],"script-src":["'self'","'unsafe-inline'"],"style-src":["'self'","'unsafe-inline'"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","media-src","frame-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","/csp-report":"","data:":"scheme-source","wss://customernode.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' wss://customernode.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self' data:; media-src 'self'; report-uri /csp-report; upgrade-insecure-requests ;"],"stats":{"totalHigh":1,"totalMedium":0,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"696803251f204e44ef80ea9b","ts":"2026-01-14T20:57:09.691Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://customernode.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' wss://customernode.com; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; report-uri /csp-report;","directives":{"base-uri":["'self'"],"connect-src":["'self'","wss://customernode.com"],"default-src":["'none'"],"font-src":["'self'"],"form-action":["'self'"],"frame-ancestors":["'none'"],"frame-src":["'self'"],"img-src":["'self'","data:"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["/csp-report"],"script-src":["'self'","'unsafe-inline'"],"style-src":["'self'","'unsafe-inline'"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","media-src","frame-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","/csp-report":"","data:":"scheme-source","wss://customernode.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' wss://customernode.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self' data:; media-src 'self'; report-uri /csp-report; upgrade-insecure-requests ;"],"stats":{"totalHigh":1,"totalMedium":0,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"696802da1f204e44ef80ea9a","ts":"2026-01-14T20:55:54.407Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://customernode.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' wss://customernode.com; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; report-uri /csp-report;","directives":{"base-uri":["'self'"],"connect-src":["'self'","wss://customernode.com"],"default-src":["'none'"],"font-src":["'self'"],"form-action":["'self'"],"frame-ancestors":["'none'"],"frame-src":["'self'"],"img-src":["'self'","data:"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["/csp-report"],"script-src":["'self'","'unsafe-inline'"],"style-src":["'self'","'unsafe-inline'"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","media-src","frame-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","/csp-report":"","data:":"scheme-source","wss://customernode.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' wss://customernode.com; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self' data:; media-src 'self'; report-uri /csp-report; upgrade-insecure-requests ;"],"stats":{"totalHigh":1,"totalMedium":0,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6967e90bd06d0be7b2acd3ca","ts":"2026-01-14T19:05:47.413Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://customernode.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' wss://customernode.com; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; report-uri /csp-report;","directives":{"base-uri":["'self'"],"connect-src":["'self'","wss://customernode.com"],"default-src":["'none'"],"font-src":["'self'","data:"],"form-action":["'self'"],"frame-ancestors":["'none'"],"frame-src":["'self'"],"img-src":["'self'","data:"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["/csp-report"],"script-src":["'self'"],"style-src":["'self'","'unsafe-inline'"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","media-src","frame-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","/csp-report":"","data:":"scheme-source","wss://customernode.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' wss://customernode.com; font-src 'self' data:; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self' data:; media-src 'self'; report-uri /csp-report; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6967e6c2d06d0be7b2acd3c9","ts":"2026-01-14T18:56:02.881Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://customernode.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' wss://customernode.com; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; report-uri /csp-report;","directives":{"base-uri":["'self'"],"connect-src":["'self'","wss://customernode.com"],"default-src":["'none'"],"font-src":["'self'","data:"],"form-action":["'self'"],"frame-ancestors":["'none'"],"frame-src":["'self'"],"img-src":["'self'","data:"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["/csp-report"],"script-src":["'self'"],"style-src":["'self'"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","media-src","frame-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","/csp-report":"","data:":"scheme-source","wss://customernode.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'self'; style-src 'self'; object-src 'none'; base-uri 'self'; connect-src 'self' wss://customernode.com; font-src 'self' data:; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self' data:; media-src 'self'; report-uri /csp-report; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6967e66d1f204e44ef80ea91","ts":"2026-01-14T18:54:37.665Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://customernode.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' wss://customernode.com; media-src 'self'; frame-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; report-uri /csp-report; require-trusted-types-for 'script'","directives":{"base-uri":["'self'"],"connect-src":["'self'","wss://customernode.com"],"default-src":["'none'"],"font-src":["'self'","data:"],"form-action":["'self'"],"frame-ancestors":["'none'"],"frame-src":["'self'"],"img-src":["'self'","data:"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["/csp-report"],"require-trusted-types-for":["'script'"],"script-src":["'self'"],"style-src":["'self'"],"upgrade-insecure-requests":[]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","media-src","frame-src","object-src","base-uri","frame-ancestors","form-action","upgrade-insecure-requests","report-uri","require-trusted-types-for"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'script'":"","'self'":"keyword-source","/csp-report":"","data:":"scheme-source","wss://customernode.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'self'; style-src 'self'; object-src 'none'; base-uri 'self'; connect-src 'self' wss://customernode.com; font-src 'self' data:; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self' data:; media-src 'self'; report-uri /csp-report; require-trusted-types-for 'script'; upgrade-insecure-requests ;"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Unknown CSP Source","severity":"MEDIUM","directive":"require-trusted-types-for","source":"'script'","message":"Invalid source type. It is not one of the types that CSP recognizes.","recommendation":"Fix the source such that it is a valid CSP source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Source has unnecessary quotes","severity":"LOW","directive":"require-trusted-types-for","source":"'script'","message":"The source has quotes when it should not","recommendation":"Remove the quotes.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6967cbb2c4e259476d593e64","ts":"2026-01-14T17:00:34.254Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://www.pluralsight.com/","isHidden":false,"parsedPolicy":{"policy":"frame-ancestors 'self' pluralsight.com pluralsight.highspot.com;","directives":{"frame-ancestors":["'self'","pluralsight.com","pluralsight.highspot.com"]},"directiveOrder":["frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","pluralsight.com":"host-source","pluralsight.highspot.com":"host-source"}},"disposition":"enforce","source":"header","policies":["frame-ancestors 'self' pluralsight.com pluralsight.highspot.com;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6967c442c4e259476d593e52","ts":"2026-01-14T16:28:50.602Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://supportdev2.iscsoftware.com/login.php","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; object-src 'none'; base-uri 'none'; frame-src 'none'; form-action 'self'; script-src 'nonce-gbxT8OxvCXjChVawUIOPnw==' 'strict-dynamic'; style-src 'self';","directives":{"base-uri":["'none'"],"default-src":["'self'"],"form-action":["'self'"],"frame-src":["'none'"],"object-src":["'none'"],"script-src":["'nonce-gbxT8OxvCXjChVawUIOPnw=='","'strict-dynamic'"],"style-src":["'self'"]},"directiveOrder":["default-src","object-src","base-uri","frame-src","form-action","script-src","style-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-gbxT8OxvCXjChVawUIOPnw=='":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","'strict-dynamic'":"keyword-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'nonce-gbxT8OxvCXjChVawUIOPnw==' 'strict-dynamic'; style-src 'self'; object-src 'none'; base-uri 'none'; form-action 'self'; frame-src 'none';"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6967c377c4e259476d593e50","ts":"2026-01-14T16:25:27.426Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://supportdev2.iscsoftware.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; object-src 'none'; base-uri 'none'; frame-src 'none'; form-action 'self'; script-src 'nonce-FkfKVKHA4NUkyqF5+dSHpQ==' 'strict-dynamic'; style-src 'self';","directives":{"base-uri":["'none'"],"default-src":["'self'"],"form-action":["'self'"],"frame-src":["'none'"],"object-src":["'none'"],"script-src":["'nonce-FkfKVKHA4NUkyqF5+dSHpQ=='","'strict-dynamic'"],"style-src":["'self'"]},"directiveOrder":["default-src","object-src","base-uri","frame-src","form-action","script-src","style-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-FkfKVKHA4NUkyqF5+dSHpQ=='":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","'strict-dynamic'":"keyword-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'nonce-FkfKVKHA4NUkyqF5+dSHpQ==' 'strict-dynamic'; style-src 'self'; object-src 'none'; base-uri 'none'; form-action 'self'; frame-src 'none';"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":2,"totalInfo":0},"recommendations":[{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6967bbe0c4e259476d593e49","ts":"2026-01-14T15:53:04.146Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://sirec.caixabank.com","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6967b223c4e259476d593e47","ts":"2026-01-14T15:11:31.907Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://creditinsurance.sbigeneral.in/auth","isHidden":false,"parsedPolicy":{"policy":"frame-src 'self'; frame-ancestors 'self'; object-src 'none';","directives":{"frame-ancestors":["'self'"],"frame-src":["'self'"],"object-src":["'none'"]},"directiveOrder":["frame-src","frame-ancestors","object-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source"}},"disposition":"enforce","source":"header","policies":["object-src 'none'; frame-ancestors 'self'; frame-src 'self';"],"stats":{"totalHigh":1,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]}]