[{"id":"6a19fadecdd4ec8a348c1220","ts":"2026-05-29T20:45:18.891Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://pse.bancamia.com.co/","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; img-src https://pse.bancamia.com.co; script-src https://pse.bancamia.com.co *.browseranalytic.com https://www.google.com https://www.gstatic.com 'nonce-2726c7f26c'; style-src https://pse.bancamia.com.co https://fonts.googleapis.com https://fonts.gstatic.com 'unsafe-inline'; font-src https://pse.bancamia.com.co https://fonts.googleapis.com https://fonts.gstatic.com; object-src 'none'; connect-src https://pse.bancamia.com.co *.browseranalytic.com https://jsonip.com; form-action 'none'; base-uri 'self'; frame-src https://www.google.com; frame-ancestors 'none'","directives":{"base-uri":["'self'"],"connect-src":["*.browseranalytic.com","https://jsonip.com","https://pse.bancamia.com.co"],"default-src":["'none'"],"font-src":["https://fonts.googleapis.com","https://fonts.gstatic.com","https://pse.bancamia.com.co"],"form-action":["'none'"],"frame-ancestors":["'none'"],"frame-src":["https://www.google.com"],"img-src":["https://pse.bancamia.com.co"],"object-src":["'none'"],"script-src":["'nonce-2726c7f26c'","*.browseranalytic.com","https://pse.bancamia.com.co","https://www.google.com","https://www.gstatic.com"],"style-src":["'unsafe-inline'","https://fonts.googleapis.com","https://fonts.gstatic.com","https://pse.bancamia.com.co"]},"directiveOrder":["default-src","img-src","script-src","style-src","font-src","object-src","connect-src","form-action","base-uri","frame-src","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-2726c7f26c'":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","*.browseranalytic.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://jsonip.com":"host-source","https://pse.bancamia.com.co":"host-source","https://www.google.com":"host-source","https://www.gstatic.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'nonce-2726c7f26c' *.browseranalytic.com https://pse.bancamia.com.co https://www.google.com https://www.gstatic.com; style-src 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com https://pse.bancamia.com.co; object-src 'none'; base-uri 'self'; connect-src *.browseranalytic.com https://jsonip.com https://pse.bancamia.com.co; font-src https://fonts.googleapis.com https://fonts.gstatic.com https://pse.bancamia.com.co; form-action 'none'; frame-ancestors 'none'; frame-src https://www.google.com; img-src https://pse.bancamia.com.co;"],"stats":{"totalHigh":0,"totalMedium":5,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.browseranalytic.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://pse.bancamia.com.co","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.gstatic.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a19cbd1f635243d449c402c","ts":"2026-05-29T17:24:33.651Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://soap.sbseguros.cl","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'report-sample' 'self' 'nonce-2be750de4b21821f1580135cb0e99829' 'sha256-NziETJxYU3QPY4drUTfz3CQb3Kdrdy+cfSiBrvfgqMk=' 'sha256-9U10x0umstX2PwqDuJcFu6XuusZFzJTynDzxmk9LqC0=' 'sha256-A4SWH9KZi9g1aG+lg/eX5mKCW5wM76+T2fe7Cz+F7eg=' 'sha256-PaC6xY1sPc3RvpviRyC7hWNEXok/kV+yZ6A10gVtaks=' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' 'sha256-AcR+h3+aeKtaw2xCtDVoIQuATxKlPEFf9vEoBuJ7LfY=' 'sha256-Z4WlZ7c18IhihWi9E6O6NXmzc+SJOCqbIPKRSZqbI6E=' https://www.googletagmanager.com/debug/ https://www.googletagmanager.com/gtag/ https://googleads.g.doubleclick.net/pagead/ https://www.google.com/ccm/collect https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtm.js https://www.google.com/recaptcha/api.js https://www.gstatic.com/recaptcha/releases/ https://www.recaptcha.net/recaptcha/api.js https://analytics.tiktok.com/i18n/pixel/events.js https://analytics.tiktok.com/i18n/pixel/static/ https://connect.facebook.net/en_US/fbevents.js https://connect.facebook.net/signals/ https://ads01.groovinads.com/ https://static.hotjar.com/c/ https://www.clarity.ms/tag/ https://scripts.clarity.ms/0.8.57/clarity.js; object-src 'none'; base-uri 'self'; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com data:; frame-src 'self' https://ads01.groovinads.com/grv/ https://www.google.com https://www.googletagmanager.com https://tagassistant.google.com; frame-ancestors 'none'; img-src * 'self' data: blob: https://googletagmanager.com https://ads01.groovinads.com/ https://ssl.gstatic.com https://www.gstatic.com; style-src 'self' 'nonce-7b757162b3c926a1c588bc6c1720568a' 'sha256-QGU9B7FUA05/o+j0WTqzhmrVQtxVOddl/DoC66RoyOM=' 'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A=' 'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4=' 'sha256-+2IDGbC7ZZROnE79uLRezet3L0yclBb0/DMZlchxq7g=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' https://fonts.googleapis.com https://www.googletagmanager.com/debug/ 'report-sample';; manifest-src 'self'; media-src 'self'; report-uri https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1; worker-src 'none'; form-action 'self' https://webpay3g.transbank.cl; connect-src 'self' https://perk.cl https://embedx.io https://ads01.groovinads.com/ https://www.googletagmanager.com/debug/ https://analytics.google.com/g/collect https://www.googletagmanager.com/gtag/js https://www.google.com https://stats.g.doubleclick.net/g/collect https://www.gstatic.com https://www.google-analytics.com https://www.recaptcha.net https://d.clarity.ms/collect https://63ee9d651110c9e871bfe9b7.endpoint.csper.io;; report-to csp-endpoint;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://63ee9d651110c9e871bfe9b7.endpoint.csper.io","https://ads01.groovinads.com/","https://analytics.google.com/g/collect","https://d.clarity.ms/collect","https://embedx.io","https://perk.cl","https://stats.g.doubleclick.net/g/collect","https://www.google-analytics.com","https://www.google.com","https://www.googletagmanager.com/debug/","https://www.googletagmanager.com/gtag/js","https://www.gstatic.com","https://www.recaptcha.net"],"default-src":["'none'"],"font-src":["'self'","data:","https://cdn.jsdelivr.net","https://fonts.gstatic.com"],"form-action":["'self'","https://webpay3g.transbank.cl"],"frame-ancestors":["'none'"],"frame-src":["'self'","https://ads01.groovinads.com/grv/","https://tagassistant.google.com","https://www.google.com","https://www.googletagmanager.com"],"img-src":["'self'","*","blob:","data:","https://ads01.groovinads.com/","https://googletagmanager.com","https://ssl.gstatic.com","https://www.gstatic.com"],"manifest-src":["'self'"],"media-src":["'self'"],"object-src":["'none'"],"report-to":["csp-endpoint"],"report-uri":["https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1"],"script-src":["'nonce-2be750de4b21821f1580135cb0e99829'","'report-sample'","'self'","'sha256-9U10x0umstX2PwqDuJcFu6XuusZFzJTynDzxmk9LqC0='","'sha256-A4SWH9KZi9g1aG+lg/eX5mKCW5wM76+T2fe7Cz+F7eg='","'sha256-AcR+h3+aeKtaw2xCtDVoIQuATxKlPEFf9vEoBuJ7LfY='","'sha256-NziETJxYU3QPY4drUTfz3CQb3Kdrdy+cfSiBrvfgqMk='","'sha256-PaC6xY1sPc3RvpviRyC7hWNEXok/kV+yZ6A10gVtaks='","'sha256-Z4WlZ7c18IhihWi9E6O6NXmzc+SJOCqbIPKRSZqbI6E='","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='","https://ads01.groovinads.com/","https://analytics.tiktok.com/i18n/pixel/events.js","https://analytics.tiktok.com/i18n/pixel/static/","https://connect.facebook.net/en_US/fbevents.js","https://connect.facebook.net/signals/","https://googleads.g.doubleclick.net/pagead/","https://scripts.clarity.ms/0.8.57/clarity.js","https://static.hotjar.com/c/","https://www.clarity.ms/tag/","https://www.google-analytics.com/analytics.js","https://www.google.com/ccm/collect","https://www.google.com/recaptcha/api.js","https://www.googletagmanager.com/debug/","https://www.googletagmanager.com/gtag/","https://www.googletagmanager.com/gtm.js","https://www.gstatic.com/recaptcha/releases/","https://www.recaptcha.net/recaptcha/api.js"],"style-src":["'nonce-7b757162b3c926a1c588bc6c1720568a'","'report-sample'","'self'","'sha256-+2IDGbC7ZZROnE79uLRezet3L0yclBb0/DMZlchxq7g='","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='","'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4='","'sha256-QGU9B7FUA05/o+j0WTqzhmrVQtxVOddl/DoC66RoyOM='","'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A='","https://fonts.googleapis.com","https://www.googletagmanager.com/debug/"],"worker-src":["'none'"]},"directiveOrder":["default-src","script-src","object-src","base-uri","font-src","frame-src","frame-ancestors","img-src","style-src","manifest-src","media-src","report-uri","worker-src","form-action","connect-src","report-to"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-2be750de4b21821f1580135cb0e99829'":"nonce-source","'nonce-7b757162b3c926a1c588bc6c1720568a'":"nonce-source","'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'sha256-+2IDGbC7ZZROnE79uLRezet3L0yclBb0/DMZlchxq7g='":"hash-source","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='":"hash-source","'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4='":"hash-source","'sha256-9U10x0umstX2PwqDuJcFu6XuusZFzJTynDzxmk9LqC0='":"hash-source","'sha256-A4SWH9KZi9g1aG+lg/eX5mKCW5wM76+T2fe7Cz+F7eg='":"hash-source","'sha256-AcR+h3+aeKtaw2xCtDVoIQuATxKlPEFf9vEoBuJ7LfY='":"hash-source","'sha256-NziETJxYU3QPY4drUTfz3CQb3Kdrdy+cfSiBrvfgqMk='":"hash-source","'sha256-PaC6xY1sPc3RvpviRyC7hWNEXok/kV+yZ6A10gVtaks='":"hash-source","'sha256-QGU9B7FUA05/o+j0WTqzhmrVQtxVOddl/DoC66RoyOM='":"hash-source","'sha256-Z4WlZ7c18IhihWi9E6O6NXmzc+SJOCqbIPKRSZqbI6E='":"hash-source","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='":"hash-source","'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A='":"hash-source","*":"host-source","blob:":"scheme-source","csp-endpoint":"host-source","data:":"scheme-source","https://63ee9d651110c9e871bfe9b7.endpoint.csper.io":"host-source","https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1":"host-source","https://ads01.groovinads.com/":"host-source","https://ads01.groovinads.com/grv/":"host-source","https://analytics.google.com/g/collect":"host-source","https://analytics.tiktok.com/i18n/pixel/events.js":"host-source","https://analytics.tiktok.com/i18n/pixel/static/":"host-source","https://cdn.jsdelivr.net":"host-source","https://connect.facebook.net/en_US/fbevents.js":"host-source","https://connect.facebook.net/signals/":"host-source","https://d.clarity.ms/collect":"host-source","https://embedx.io":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://googleads.g.doubleclick.net/pagead/":"host-source","https://googletagmanager.com":"host-source","https://perk.cl":"host-source","https://scripts.clarity.ms/0.8.57/clarity.js":"host-source","https://ssl.gstatic.com":"host-source","https://static.hotjar.com/c/":"host-source","https://stats.g.doubleclick.net/g/collect":"host-source","https://tagassistant.google.com":"host-source","https://webpay3g.transbank.cl":"host-source","https://www.clarity.ms/tag/":"host-source","https://www.google-analytics.com":"host-source","https://www.google-analytics.com/analytics.js":"host-source","https://www.google.com":"host-source","https://www.google.com/ccm/collect":"host-source","https://www.google.com/recaptcha/api.js":"host-source","https://www.googletagmanager.com":"host-source","https://www.googletagmanager.com/debug/":"host-source","https://www.googletagmanager.com/gtag/":"host-source","https://www.googletagmanager.com/gtag/js":"host-source","https://www.googletagmanager.com/gtm.js":"host-source","https://www.gstatic.com":"host-source","https://www.gstatic.com/recaptcha/releases/":"host-source","https://www.recaptcha.net":"host-source","https://www.recaptcha.net/recaptcha/api.js":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'nonce-2be750de4b21821f1580135cb0e99829' 'report-sample' 'self' 'sha256-9U10x0umstX2PwqDuJcFu6XuusZFzJTynDzxmk9LqC0=' 'sha256-A4SWH9KZi9g1aG+lg/eX5mKCW5wM76+T2fe7Cz+F7eg=' 'sha256-AcR+h3+aeKtaw2xCtDVoIQuATxKlPEFf9vEoBuJ7LfY=' 'sha256-NziETJxYU3QPY4drUTfz3CQb3Kdrdy+cfSiBrvfgqMk=' 'sha256-PaC6xY1sPc3RvpviRyC7hWNEXok/kV+yZ6A10gVtaks=' 'sha256-Z4WlZ7c18IhihWi9E6O6NXmzc+SJOCqbIPKRSZqbI6E=' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' https://ads01.groovinads.com/ https://analytics.tiktok.com/i18n/pixel/events.js https://analytics.tiktok.com/i18n/pixel/static/ https://connect.facebook.net/en_US/fbevents.js https://connect.facebook.net/signals/ https://googleads.g.doubleclick.net/pagead/ https://scripts.clarity.ms/0.8.57/clarity.js https://static.hotjar.com/c/ https://www.clarity.ms/tag/ https://www.google-analytics.com/analytics.js https://www.google.com/ccm/collect https://www.google.com/recaptcha/api.js https://www.googletagmanager.com/debug/ https://www.googletagmanager.com/gtag/ https://www.googletagmanager.com/gtm.js https://www.gstatic.com/recaptcha/releases/ https://www.recaptcha.net/recaptcha/api.js; style-src 'nonce-7b757162b3c926a1c588bc6c1720568a' 'report-sample' 'self' 'sha256-+2IDGbC7ZZROnE79uLRezet3L0yclBb0/DMZlchxq7g=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4=' 'sha256-QGU9B7FUA05/o+j0WTqzhmrVQtxVOddl/DoC66RoyOM=' 'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A=' https://fonts.googleapis.com https://www.googletagmanager.com/debug/; object-src 'none'; base-uri 'self'; connect-src 'self' https://63ee9d651110c9e871bfe9b7.endpoint.csper.io https://ads01.groovinads.com/ https://analytics.google.com/g/collect https://d.clarity.ms/collect https://embedx.io https://perk.cl https://stats.g.doubleclick.net/g/collect https://www.google-analytics.com https://www.google.com https://www.googletagmanager.com/debug/ https://www.googletagmanager.com/gtag/js https://www.gstatic.com https://www.recaptcha.net; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com; form-action 'self' https://webpay3g.transbank.cl; frame-ancestors 'none'; frame-src 'self' https://ads01.groovinads.com/grv/ https://tagassistant.google.com https://www.google.com https://www.googletagmanager.com; img-src 'self' * blob: data: https://ads01.groovinads.com/ https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com; manifest-src 'self'; media-src 'self'; report-to csp-endpoint; report-uri https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1; worker-src 'none';"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":0,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ads01.groovinads.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a19a1d9f635243d449c401c","ts":"2026-05-29T14:25:29.475Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://learn.dnv.com","isHidden":false,"parsedPolicy":{"policy":"report-uri /csp/report; default-src 'self'; base-uri 'self'; script-src 'self' 'report-sample'; frame-src 'self'; connect-src 'self'; img-src 'self' blob: data:; media-src 'self' blob: data:; style-src 'self' 'report-sample'; font-src 'self' data:; frame-ancestors 'self'; form-action 'self'; object-src 'none'; worker-src 'self'; upgrade-insecure-requests;","directives":{"base-uri":["'self'"],"connect-src":["'self'"],"default-src":["'self'"],"font-src":["'self'","data:"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'"],"img-src":["'self'","blob:","data:"],"media-src":["'self'","blob:","data:"],"object-src":["'none'"],"report-uri":["/csp/report"],"script-src":["'report-sample'","'self'"],"style-src":["'report-sample'","'self'"],"upgrade-insecure-requests":[],"worker-src":["'self'"]},"directiveOrder":["report-uri","default-src","base-uri","script-src","frame-src","connect-src","img-src","media-src","style-src","font-src","frame-ancestors","form-action","object-src","worker-src","upgrade-insecure-requests"],"disposition":"enforce","delivery":"meta","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","/csp/report":"","blob:":"scheme-source","data:":"scheme-source"}},"disposition":"enforce","source":"meta","policies":["default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' blob: data:; media-src 'self' blob: data:; report-uri /csp/report; upgrade-insecure-requests ; worker-src 'self';"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"6a199848cdd4ec8a348c120c","ts":"2026-05-29T13:44:40.659Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://Santander.my.salesforce.com","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a199829cdd4ec8a348c120b","ts":"2026-05-29T13:44:09.703Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://loans.santanderbank.com","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a1997fccdd4ec8a348c120a","ts":"2026-05-29T13:43:24.25Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://Santander.my.salesforce.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' *.salesforce.com 'report-sample'; style-src *.force.com 'unsafe-inline' 'self' *.salesforce.com *.visualforce.com:*; img-src *.force.com slack-mil-dev.com slack-imgs-mil-dev.com *.slack.com 'self' blob: *.slack-imgs.com slack-imgs-gov.com *.slack-edge.mil *.salesforce-experience.com slack-imgs.com slack-gov-dev.com *.sfdcstatic.com *.slack-edge-gov.com *.salesforce.com *.twimg.com *.my-salesforce.com slack-imgs-gov-dev.com *.slack-edge.com slack-imgs.mil *.cloudinary.com data:; media-src 'self' *.salesforce.com; frame-src *.force.com *.quip.com *.arkoselabs.com 'self' *.youtube-nocookie.com *.youtube.co.uk *.cybersource.com *.youtube.com.br *.youtube.es *.salesforce-experience.com *.salesforceliveagent.com *.adis.ws *.sfdcfc.net *.youtube.ca *.youtube.ie *.cloudinary.com *.vidyard.com *.vimeo.com *.youtube.jp bcove.video *.youtube.fr *.forceusercontent.com *.brightcove.net *.youtube.com *.wistia.net *.salesforce.com *.youtube.nl *.youtube.pl; font-src *.force.com 'self' *.salesforce.com blob: data:; connect-src 'self' *.amazonaws.com *.salesforce.com https://cdn.cbweb.code-builder.platform.salesforce.com api.salesforce.com wss://*.api.salesforce.com *.api.salesforce.com wss://api.salesforce.com wss://*.slack.com; report-to sfdc-csp-ep; report-uri https://csp-report.force.com/_/ContentDomainCSPNoAuth?type=mydomain","directives":{"connect-src":["'self'","*.amazonaws.com","*.api.salesforce.com","*.salesforce.com","api.salesforce.com","https://cdn.cbweb.code-builder.platform.salesforce.com","wss://*.api.salesforce.com","wss://*.slack.com","wss://api.salesforce.com"],"default-src":["'self'"],"font-src":["'self'","*.force.com","*.salesforce.com","blob:","data:"],"frame-src":["'self'","*.adis.ws","*.arkoselabs.com","*.brightcove.net","*.cloudinary.com","*.cybersource.com","*.force.com","*.forceusercontent.com","*.quip.com","*.salesforce-experience.com","*.salesforce.com","*.salesforceliveagent.com","*.sfdcfc.net","*.vidyard.com","*.vimeo.com","*.wistia.net","*.youtube-nocookie.com","*.youtube.ca","*.youtube.co.uk","*.youtube.com","*.youtube.com.br","*.youtube.es","*.youtube.fr","*.youtube.ie","*.youtube.jp","*.youtube.nl","*.youtube.pl","bcove.video"],"img-src":["'self'","*.cloudinary.com","*.force.com","*.my-salesforce.com","*.salesforce-experience.com","*.salesforce.com","*.sfdcstatic.com","*.slack-edge-gov.com","*.slack-edge.com","*.slack-edge.mil","*.slack-imgs.com","*.slack.com","*.twimg.com","blob:","data:","slack-gov-dev.com","slack-imgs-gov-dev.com","slack-imgs-gov.com","slack-imgs-mil-dev.com","slack-imgs.com","slack-imgs.mil","slack-mil-dev.com"],"media-src":["'self'","*.salesforce.com"],"report-to":["sfdc-csp-ep"],"report-uri":["https://csp-report.force.com/_/ContentDomainCSPNoAuth?type=mydomain"],"script-src":["'report-sample'","'self'","*.salesforce.com"],"style-src":["'self'","'unsafe-inline'","*.force.com","*.salesforce.com","*.visualforce.com:*"]},"directiveOrder":["default-src","script-src","style-src","img-src","media-src","frame-src","font-src","connect-src","report-to","report-uri"],"disposition":"report","delivery":"header","sourceMapping":{"'report-sample'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","*.adis.ws":"host-source","*.amazonaws.com":"host-source","*.api.salesforce.com":"host-source","*.arkoselabs.com":"host-source","*.brightcove.net":"host-source","*.cloudinary.com":"host-source","*.cybersource.com":"host-source","*.force.com":"host-source","*.forceusercontent.com":"host-source","*.my-salesforce.com":"host-source","*.quip.com":"host-source","*.salesforce-experience.com":"host-source","*.salesforce.com":"host-source","*.salesforceliveagent.com":"host-source","*.sfdcfc.net":"host-source","*.sfdcstatic.com":"host-source","*.slack-edge-gov.com":"host-source","*.slack-edge.com":"host-source","*.slack-edge.mil":"host-source","*.slack-imgs.com":"host-source","*.slack.com":"host-source","*.twimg.com":"host-source","*.vidyard.com":"host-source","*.vimeo.com":"host-source","*.visualforce.com:*":"host-source","*.wistia.net":"host-source","*.youtube-nocookie.com":"host-source","*.youtube.ca":"host-source","*.youtube.co.uk":"host-source","*.youtube.com":"host-source","*.youtube.com.br":"host-source","*.youtube.es":"host-source","*.youtube.fr":"host-source","*.youtube.ie":"host-source","*.youtube.jp":"host-source","*.youtube.nl":"host-source","*.youtube.pl":"host-source","api.salesforce.com":"host-source","bcove.video":"host-source","blob:":"scheme-source","data:":"scheme-source","https://cdn.cbweb.code-builder.platform.salesforce.com":"host-source","https://csp-report.force.com/_/ContentDomainCSPNoAuth?type=mydomain":"host-source","sfdc-csp-ep":"host-source","slack-gov-dev.com":"host-source","slack-imgs-gov-dev.com":"host-source","slack-imgs-gov.com":"host-source","slack-imgs-mil-dev.com":"host-source","slack-imgs.com":"host-source","slack-imgs.mil":"host-source","slack-mil-dev.com":"host-source","wss://*.api.salesforce.com":"host-source","wss://*.slack.com":"host-source","wss://api.salesforce.com":"host-source"}},"disposition":"report","source":"header","policies":["default-src 'self'; script-src 'report-sample' 'self' *.salesforce.com; style-src 'self' 'unsafe-inline' *.force.com *.salesforce.com *.visualforce.com:*; connect-src 'self' *.amazonaws.com *.api.salesforce.com *.salesforce.com api.salesforce.com https://cdn.cbweb.code-builder.platform.salesforce.com wss://*.api.salesforce.com wss://*.slack.com wss://api.salesforce.com; font-src 'self' *.force.com *.salesforce.com blob: data:; frame-src 'self' *.adis.ws *.arkoselabs.com *.brightcove.net *.cloudinary.com *.cybersource.com *.force.com *.forceusercontent.com *.quip.com *.salesforce-experience.com *.salesforce.com *.salesforceliveagent.com *.sfdcfc.net *.vidyard.com *.vimeo.com *.wistia.net *.youtube-nocookie.com *.youtube.ca *.youtube.co.uk *.youtube.com *.youtube.com.br *.youtube.es *.youtube.fr *.youtube.ie *.youtube.jp *.youtube.nl *.youtube.pl bcove.video; img-src 'self' *.cloudinary.com *.force.com *.my-salesforce.com *.salesforce-experience.com *.salesforce.com *.sfdcstatic.com *.slack-edge-gov.com *.slack-edge.com *.slack-edge.mil *.slack-imgs.com *.slack.com *.twimg.com blob: data: slack-gov-dev.com slack-imgs-gov-dev.com slack-imgs-gov.com slack-imgs-mil-dev.com slack-imgs.com slack-imgs.mil slack-mil-dev.com; media-src 'self' *.salesforce.com; report-to sfdc-csp-ep; report-uri https://csp-report.force.com/_/ContentDomainCSPNoAuth?type=mydomain;"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"*.salesforce.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Duplicate or unnecessary source","severity":"LOW","directive":"frame-src","source":"*.youtube.com.br","message":"This source is repeated or unnecessary","recommendation":"Consider moving the extra source","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a199675f635243d449c401b","ts":"2026-05-29T13:36:53.571Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://ipubedit2-te-ui-service.azurewebsites.net/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.ckeditor.com https://code.jquery.com https://stackpath.bootstrapcdn.com https://www.wiris.net; style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com https://fonts.googleapis.com https://www.wiris.net; img-src 'self' data: blob: https://ipubsuite.blob.core.windows.net https://ipubsuitedev.blob.core.windows.net https://ipubsuitetest.blob.core.windows.net https://ipubsuitedemo.blob.core.windows.net https://ipubsuite.integra.co.in https://nlp.integra.co.in https://*.azurewebsites.net https://www.wiris.net; font-src 'self' data: https://fonts.gstatic.com https://www.wiris.net; connect-src 'self' https://ipubsuite.integra.co.in https://nlp.integra.co.in https://*.azurewebsites.net https://ipubsuite.blob.core.windows.net https://ipubsuitedev.blob.core.windows.net https://ipubsuitetest.blob.core.windows.net https://ipubsuitedemo.blob.core.windows.net wss://ipubsuite.integra.co.in wss://nlp.integra.co.in wss://*.azurewebsites.net https://doi.crossref.org https://eutils.ncbi.nlm.nih.gov https://pub.orcid.org https://www.wiris.net https://cdn.ckeditor.com; frame-src 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none'; media-src 'self' https://ipubsuite.blob.core.windows.net https://ipubsuitedev.blob.core.windows.net https://ipubsuitetest.blob.core.windows.net https://ipubsuitedemo.blob.core.windows.net https://*.azurewebsites.net; manifest-src 'self'; worker-src 'self' blob:; base-uri 'self'; upgrade-insecure-requests","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://*.azurewebsites.net","https://cdn.ckeditor.com","https://doi.crossref.org","https://eutils.ncbi.nlm.nih.gov","https://ipubsuite.blob.core.windows.net","https://ipubsuite.integra.co.in","https://ipubsuitedemo.blob.core.windows.net","https://ipubsuitedev.blob.core.windows.net","https://ipubsuitetest.blob.core.windows.net","https://nlp.integra.co.in","https://pub.orcid.org","https://www.wiris.net","wss://*.azurewebsites.net","wss://ipubsuite.integra.co.in","wss://nlp.integra.co.in"],"default-src":["'self'"],"font-src":["'self'","data:","https://fonts.gstatic.com","https://www.wiris.net"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'"],"img-src":["'self'","blob:","data:","https://*.azurewebsites.net","https://ipubsuite.blob.core.windows.net","https://ipubsuite.integra.co.in","https://ipubsuitedemo.blob.core.windows.net","https://ipubsuitedev.blob.core.windows.net","https://ipubsuitetest.blob.core.windows.net","https://nlp.integra.co.in","https://www.wiris.net"],"manifest-src":["'self'"],"media-src":["'self'","https://*.azurewebsites.net","https://ipubsuite.blob.core.windows.net","https://ipubsuitedemo.blob.core.windows.net","https://ipubsuitedev.blob.core.windows.net","https://ipubsuitetest.blob.core.windows.net"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://cdn.ckeditor.com","https://code.jquery.com","https://stackpath.bootstrapcdn.com","https://www.wiris.net"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com","https://stackpath.bootstrapcdn.com","https://www.wiris.net"],"upgrade-insecure-requests":[],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","frame-ancestors","form-action","object-src","media-src","manifest-src","worker-src","base-uri","upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https://*.azurewebsites.net":"host-source","https://cdn.ckeditor.com":"host-source","https://code.jquery.com":"host-source","https://doi.crossref.org":"host-source","https://eutils.ncbi.nlm.nih.gov":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://ipubsuite.blob.core.windows.net":"host-source","https://ipubsuite.integra.co.in":"host-source","https://ipubsuitedemo.blob.core.windows.net":"host-source","https://ipubsuitedev.blob.core.windows.net":"host-source","https://ipubsuitetest.blob.core.windows.net":"host-source","https://nlp.integra.co.in":"host-source","https://pub.orcid.org":"host-source","https://stackpath.bootstrapcdn.com":"host-source","https://www.wiris.net":"host-source","wss://*.azurewebsites.net":"host-source","wss://ipubsuite.integra.co.in":"host-source","wss://nlp.integra.co.in":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.ckeditor.com https://code.jquery.com https://stackpath.bootstrapcdn.com https://www.wiris.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://stackpath.bootstrapcdn.com https://www.wiris.net; object-src 'none'; base-uri 'self'; connect-src 'self' https://*.azurewebsites.net https://cdn.ckeditor.com https://doi.crossref.org https://eutils.ncbi.nlm.nih.gov https://ipubsuite.blob.core.windows.net https://ipubsuite.integra.co.in https://ipubsuitedemo.blob.core.windows.net https://ipubsuitedev.blob.core.windows.net https://ipubsuitetest.blob.core.windows.net https://nlp.integra.co.in https://pub.orcid.org https://www.wiris.net wss://*.azurewebsites.net wss://ipubsuite.integra.co.in wss://nlp.integra.co.in; font-src 'self' data: https://fonts.gstatic.com https://www.wiris.net; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' blob: data: https://*.azurewebsites.net https://ipubsuite.blob.core.windows.net https://ipubsuite.integra.co.in https://ipubsuitedemo.blob.core.windows.net https://ipubsuitedev.blob.core.windows.net https://ipubsuitetest.blob.core.windows.net https://nlp.integra.co.in https://www.wiris.net; manifest-src 'self'; media-src 'self' https://*.azurewebsites.net https://ipubsuite.blob.core.windows.net https://ipubsuitedemo.blob.core.windows.net https://ipubsuitedev.blob.core.windows.net https://ipubsuitetest.blob.core.windows.net; upgrade-insecure-requests ; worker-src 'self' blob:;"],"stats":{"totalHigh":1,"totalMedium":6,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.ckeditor.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://code.jquery.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://stackpath.bootstrapcdn.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.wiris.net","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a199635f635243d449c401a","ts":"2026-05-29T13:35:49.494Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://santander--uat.sandbox.my.site.com","isHidden":false,"parsedPolicy":{"policy":"upgrade-insecure-requests","directives":{"upgrade-insecure-requests":[]},"directiveOrder":["upgrade-insecure-requests"],"disposition":"enforce","delivery":"header","sourceMapping":{}},"disposition":"enforce","source":"header","policies":["upgrade-insecure-requests ;"],"stats":{"totalHigh":2,"totalMedium":2,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (no default-src)","severity":"HIGH","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (no default src)","severity":"HIGH","directive":"script","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a1978b8cdd4ec8a348c11f0","ts":"2026-05-29T11:30:00.957Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://sbinewyork.statebank/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://www.google.com https://cdn-page-source.com https://cdn.page-source.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://www.google-analytics.com https://unpkg.com; frame-src 'self' https://www.youtube.com https://www.google.com; object-src 'none';","directives":{"connect-src":["'self'","https://unpkg.com","https://www.google-analytics.com"],"default-src":["'self'"],"font-src":["'self'","https://fonts.gstatic.com"],"frame-src":["'self'","https://www.google.com","https://www.youtube.com"],"img-src":["'self'","data:","https://cdn-page-source.com","https://cdn.page-source.com","https://www.google.com"],"object-src":["'none'"],"script-src":["'self'","'unsafe-eval'","'unsafe-inline'","https://ajax.googleapis.com","https://cdnjs.cloudflare.com","https://unpkg.com","https://www.google-analytics.com","https://www.googletagmanager.com"],"style-src":["'self'","'unsafe-inline'","https://fonts.googleapis.com"]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","object-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","data:":"scheme-source","https://ajax.googleapis.com":"host-source","https://cdn-page-source.com":"host-source","https://cdn.page-source.com":"host-source","https://cdnjs.cloudflare.com":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://unpkg.com":"host-source","https://www.google-analytics.com":"host-source","https://www.google.com":"host-source","https://www.googletagmanager.com":"host-source","https://www.youtube.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://ajax.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'; connect-src 'self' https://unpkg.com https://www.google-analytics.com; font-src 'self' https://fonts.gstatic.com; frame-src 'self' https://www.google.com https://www.youtube.com; img-src 'self' data: https://cdn-page-source.com https://cdn.page-source.com https://www.google.com;"],"stats":{"totalHigh":1,"totalMedium":8,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline on script-src","severity":"HIGH","directive":"script-src","source":"'unsafe-inline'","message":"The usage of 'unsafe-inline' negates the primary CSP protection against XSS.","recommendation":"Remove 'unsafe-inline'. This will probably require a refactoring of code.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://unpkg.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ajax.googleapis.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdnjs.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a195c61cdd4ec8a348c11cf","ts":"2026-05-29T09:29:05.457Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://prod-learner-staging.azurewebsites.net/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; form-action 'self'; report-to 'self'; script-src-elem 'self' *.ltimindtree.com *.msauth.net; style-src 'self' 'unsafe-inline' https://use.typekit.net https://p.typekit.net; font-src 'self' *.typekit.net; img-src 'self' data: *.blob.core.windows.net *.youtube.com *.ytimg.com https://i.ytimg.com; connect-src 'self' blob: *.shotclasses.com *.azurewebsites.net *.azureedge.net *.prodc.mkio.tv3cloud.com *.azureedge.net *.bitmovin.com *.microsoftonline.com *.live.com *.access.mcas.ms *.access.mcas-gov.ms *.events.data.microsoft.com *.events.data.microsoft.com *.japanwest.streaming.mediakind.com https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net https://prod1shotclassstorage.blob.core.windows.net wss://devshotclassessignalr.service.signalr.net https://devshotclassessignalr.service.signalr.net https://services1.shotclasses.com; media-src 'self' blob:; worker-src 'self' blob:; frame-src 'self' *.officeapps.live.com *.youtube.com https://prodblob.shotclasses.com *.slideshare.net; frame-ancestors 'self';","directives":{"connect-src":["'self'","*.access.mcas-gov.ms","*.access.mcas.ms","*.azureedge.net","*.azureedge.net","*.azurewebsites.net","*.bitmovin.com","*.events.data.microsoft.com","*.events.data.microsoft.com","*.japanwest.streaming.mediakind.com","*.live.com","*.microsoftonline.com","*.prodc.mkio.tv3cloud.com","*.shotclasses.com","blob:","https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net","https://devshotclassessignalr.service.signalr.net","https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com","https://prod1shotclassstorage.blob.core.windows.net","https://services1.shotclasses.com","wss://devshotclassessignalr.service.signalr.net"],"default-src":["'self'"],"font-src":["'self'","*.typekit.net"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","*.officeapps.live.com","*.slideshare.net","*.youtube.com","https://prodblob.shotclasses.com"],"img-src":["'self'","*.blob.core.windows.net","*.youtube.com","*.ytimg.com","data:","https://i.ytimg.com"],"media-src":["'self'","blob:"],"report-to":["'self'"],"script-src-elem":["'self'","*.ltimindtree.com","*.msauth.net"],"style-src":["'self'","'unsafe-inline'","https://p.typekit.net","https://use.typekit.net"],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","form-action","report-to","script-src-elem","style-src","font-src","img-src","connect-src","media-src","worker-src","frame-src","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-inline'":"keyword-source","*.access.mcas-gov.ms":"host-source","*.access.mcas.ms":"host-source","*.azureedge.net":"host-source","*.azurewebsites.net":"host-source","*.bitmovin.com":"host-source","*.blob.core.windows.net":"host-source","*.events.data.microsoft.com":"host-source","*.japanwest.streaming.mediakind.com":"host-source","*.live.com":"host-source","*.ltimindtree.com":"host-source","*.microsoftonline.com":"host-source","*.msauth.net":"host-source","*.officeapps.live.com":"host-source","*.prodc.mkio.tv3cloud.com":"host-source","*.shotclasses.com":"host-source","*.slideshare.net":"host-source","*.typekit.net":"host-source","*.youtube.com":"host-source","*.ytimg.com":"host-source","blob:":"scheme-source","data:":"scheme-source","https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net":"host-source","https://devshotclassessignalr.service.signalr.net":"host-source","https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com":"host-source","https://i.ytimg.com":"host-source","https://p.typekit.net":"host-source","https://prod1shotclassstorage.blob.core.windows.net":"host-source","https://prodblob.shotclasses.com":"host-source","https://services1.shotclasses.com":"host-source","https://use.typekit.net":"host-source","wss://devshotclassessignalr.service.signalr.net":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src-elem 'self' *.ltimindtree.com *.msauth.net; style-src 'self' 'unsafe-inline' https://p.typekit.net https://use.typekit.net; connect-src 'self' *.access.mcas-gov.ms *.access.mcas.ms *.azureedge.net *.azurewebsites.net *.bitmovin.com *.events.data.microsoft.com *.japanwest.streaming.mediakind.com *.live.com *.microsoftonline.com *.prodc.mkio.tv3cloud.com *.shotclasses.com blob: https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net https://devshotclassessignalr.service.signalr.net https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com https://prod1shotclassstorage.blob.core.windows.net https://services1.shotclasses.com wss://devshotclassessignalr.service.signalr.net; font-src 'self' *.typekit.net; form-action 'self'; frame-ancestors 'self'; frame-src 'self' *.officeapps.live.com *.slideshare.net *.youtube.com https://prodblob.shotclasses.com; img-src 'self' *.blob.core.windows.net *.youtube.com *.ytimg.com data: https://i.ytimg.com; media-src 'self' blob:; report-to 'self'; worker-src 'self' blob:;"],"stats":{"totalHigh":0,"totalMedium":3,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (with default-src)","severity":"MEDIUM","directive":"script-src","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing. Right now it is falling back to default-src","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing base-uri","severity":"MEDIUM","directive":"base-uri","source":"","message":"If an attacker is able to inject into the \u003chead\u003e of the document, they can spoof a different base-uri resulting in an XSS.","recommendation":"Set base-uri to 'self' or 'none' if possible. base-uri does not fall back to default-src.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a195b08cdd4ec8a348c11ce","ts":"2026-05-29T09:23:20.74Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://learner3.shotclasses.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; object-src 'none'; script-src 'self'; base-uri 'none'; form-action 'self'; report-to 'self'; script-src-elem 'self' *.ltimindtree.com *.msauth.net; style-src 'self' 'unsafe-inline' https://use.typekit.net https://p.typekit.net; font-src 'self' *.typekit.net; img-src 'self' data: *.blob.core.windows.net *.youtube.com *.ytimg.com https://i.ytimg.com; connect-src 'self' blob: *.shotclasses.com *.azurewebsites.net *.azureedge.net *.prodc.mkio.tv3cloud.com *.azureedge.net *.bitmovin.com *.microsoftonline.com *.live.com *.access.mcas.ms *.access.mcas-gov.ms *.events.data.microsoft.com *.events.data.microsoft.com *.japanwest.streaming.mediakind.com https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net https://prod1shotclassstorage.blob.core.windows.net wss://devshotclassessignalr.service.signalr.net https://devshotclassessignalr.service.signalr.net https://services1.shotclasses.com; media-src 'self' blob:; worker-src 'self' blob:; frame-src 'self' *.officeapps.live.com *.youtube.com https://prodblob.shotclasses.com *.slideshare.net;","directives":{"base-uri":["'none'"],"connect-src":["'self'","*.access.mcas-gov.ms","*.access.mcas.ms","*.azureedge.net","*.azureedge.net","*.azurewebsites.net","*.bitmovin.com","*.events.data.microsoft.com","*.events.data.microsoft.com","*.japanwest.streaming.mediakind.com","*.live.com","*.microsoftonline.com","*.prodc.mkio.tv3cloud.com","*.shotclasses.com","blob:","https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net","https://devshotclassessignalr.service.signalr.net","https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com","https://prod1shotclassstorage.blob.core.windows.net","https://services1.shotclasses.com","wss://devshotclassessignalr.service.signalr.net"],"default-src":["'self'"],"font-src":["'self'","*.typekit.net"],"form-action":["'self'"],"frame-src":["'self'","*.officeapps.live.com","*.slideshare.net","*.youtube.com","https://prodblob.shotclasses.com"],"img-src":["'self'","*.blob.core.windows.net","*.youtube.com","*.ytimg.com","data:","https://i.ytimg.com"],"media-src":["'self'","blob:"],"object-src":["'none'"],"report-to":["'self'"],"script-src":["'self'"],"script-src-elem":["'self'","*.ltimindtree.com","*.msauth.net"],"style-src":["'self'","'unsafe-inline'","https://p.typekit.net","https://use.typekit.net"],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","object-src","script-src","base-uri","form-action","report-to","script-src-elem","style-src","font-src","img-src","connect-src","media-src","worker-src","frame-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","*.access.mcas-gov.ms":"host-source","*.access.mcas.ms":"host-source","*.azureedge.net":"host-source","*.azurewebsites.net":"host-source","*.bitmovin.com":"host-source","*.blob.core.windows.net":"host-source","*.events.data.microsoft.com":"host-source","*.japanwest.streaming.mediakind.com":"host-source","*.live.com":"host-source","*.ltimindtree.com":"host-source","*.microsoftonline.com":"host-source","*.msauth.net":"host-source","*.officeapps.live.com":"host-source","*.prodc.mkio.tv3cloud.com":"host-source","*.shotclasses.com":"host-source","*.slideshare.net":"host-source","*.typekit.net":"host-source","*.youtube.com":"host-source","*.ytimg.com":"host-source","blob:":"scheme-source","data:":"scheme-source","https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net":"host-source","https://devshotclassessignalr.service.signalr.net":"host-source","https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com":"host-source","https://i.ytimg.com":"host-source","https://p.typekit.net":"host-source","https://prod1shotclassstorage.blob.core.windows.net":"host-source","https://prodblob.shotclasses.com":"host-source","https://services1.shotclasses.com":"host-source","https://use.typekit.net":"host-source","wss://devshotclassessignalr.service.signalr.net":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self'; script-src-elem 'self' *.ltimindtree.com *.msauth.net; style-src 'self' 'unsafe-inline' https://p.typekit.net https://use.typekit.net; object-src 'none'; base-uri 'none'; connect-src 'self' *.access.mcas-gov.ms *.access.mcas.ms *.azureedge.net *.azurewebsites.net *.bitmovin.com *.events.data.microsoft.com *.japanwest.streaming.mediakind.com *.live.com *.microsoftonline.com *.prodc.mkio.tv3cloud.com *.shotclasses.com blob: https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net https://devshotclassessignalr.service.signalr.net https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com https://prod1shotclassstorage.blob.core.windows.net https://services1.shotclasses.com wss://devshotclassessignalr.service.signalr.net; font-src 'self' *.typekit.net; form-action 'self'; frame-src 'self' *.officeapps.live.com *.slideshare.net *.youtube.com https://prodblob.shotclasses.com; img-src 'self' *.blob.core.windows.net *.youtube.com *.ytimg.com data: https://i.ytimg.com; media-src 'self' blob:; report-to 'self'; worker-src 'self' blob:;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a195ac1f635243d449c3fe3","ts":"2026-05-29T09:22:09.463Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://inbound.bt.basware.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; img-src 'self' data: blob: https://heapanalytics.com; style-src 'self' 'unsafe-inline' https://heapanalytics.com; script-src 'nonce-NLqOyxrVhDZnks5JJd01nw' 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.heapanalytics.com https://heapanalytics.com; connect-src 'self' https://heapanalytics.com; font-src 'self' data: https://heapanalytics.com; object-src 'none'; base-uri 'self'; frame-ancestors 'self';","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://heapanalytics.com"],"default-src":["'self'"],"font-src":["'self'","data:","https://heapanalytics.com"],"frame-ancestors":["'self'"],"img-src":["'self'","blob:","data:","https://heapanalytics.com"],"object-src":["'none'"],"script-src":["'nonce-NLqOyxrVhDZnks5JJd01nw'","'self'","'unsafe-eval'","'unsafe-inline'","https://cdn.heapanalytics.com","https://heapanalytics.com"],"style-src":["'self'","'unsafe-inline'","https://heapanalytics.com"]},"directiveOrder":["default-src","img-src","style-src","script-src","connect-src","font-src","object-src","base-uri","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-NLqOyxrVhDZnks5JJd01nw'":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","https://cdn.heapanalytics.com":"host-source","https://heapanalytics.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'nonce-NLqOyxrVhDZnks5JJd01nw' 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.heapanalytics.com https://heapanalytics.com; style-src 'self' 'unsafe-inline' https://heapanalytics.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://heapanalytics.com; font-src 'self' data: https://heapanalytics.com; frame-ancestors 'self'; img-src 'self' blob: data: https://heapanalytics.com;"],"stats":{"totalHigh":0,"totalMedium":4,"totalLow":4,"totalInfo":1},"recommendations":[{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cdn.heapanalytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://heapanalytics.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"unsafe-inline is ignored when using nonces or hashes as a source","severity":"INFO","directive":"script-src","source":"unsafe-inline","message":"The usage of nonces and hashes means the policy ignores unsafe-inline. This can impact usability if you haven't whitelisted all inline script","recommendation":"","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a19536ecdd4ec8a348c11cd","ts":"2026-05-29T08:50:54.595Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://learner3.shotclasses.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; object-src 'none'; script-src 'self'; base-uri 'none'; form-action 'self'; report-to 'self'; script-src-elem 'self' *.ltimindtree.com *.msauth.net; style-src 'self' 'unsafe-inline' https://use.typekit.net https://p.typekit.net; font-src 'self' *.typekit.net; img-src 'self' data: *.blob.core.windows.net *.youtube.com *.ytimg.com https://i.ytimg.com; connect-src 'self' blob: *.shotclasses.com *.azurewebsites.net *.azureedge.net *.prodc.mkio.tv3cloud.com *.azureedge.net *.bitmovin.com *.microsoftonline.com *.live.com *.access.mcas.ms *.access.mcas-gov.ms *.events.data.microsoft.com *.events.data.microsoft.com *.japanwest.streaming.mediakind.com https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net https://prod1shotclassstorage.blob.core.windows.net wss://devshotclassessignalr.service.signalr.net https://devshotclassessignalr.service.signalr.net https://services1.shotclasses.com; media-src 'self' blob:; worker-src 'self' blob:; frame-src 'self' *.officeapps.live.com *.youtube.com https://prodblob.shotclasses.com *.slideshare.net;","directives":{"base-uri":["'none'"],"connect-src":["'self'","*.access.mcas-gov.ms","*.access.mcas.ms","*.azureedge.net","*.azureedge.net","*.azurewebsites.net","*.bitmovin.com","*.events.data.microsoft.com","*.events.data.microsoft.com","*.japanwest.streaming.mediakind.com","*.live.com","*.microsoftonline.com","*.prodc.mkio.tv3cloud.com","*.shotclasses.com","blob:","https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net","https://devshotclassessignalr.service.signalr.net","https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com","https://prod1shotclassstorage.blob.core.windows.net","https://services1.shotclasses.com","wss://devshotclassessignalr.service.signalr.net"],"default-src":["'self'"],"font-src":["'self'","*.typekit.net"],"form-action":["'self'"],"frame-src":["'self'","*.officeapps.live.com","*.slideshare.net","*.youtube.com","https://prodblob.shotclasses.com"],"img-src":["'self'","*.blob.core.windows.net","*.youtube.com","*.ytimg.com","data:","https://i.ytimg.com"],"media-src":["'self'","blob:"],"object-src":["'none'"],"report-to":["'self'"],"script-src":["'self'"],"script-src-elem":["'self'","*.ltimindtree.com","*.msauth.net"],"style-src":["'self'","'unsafe-inline'","https://p.typekit.net","https://use.typekit.net"],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","object-src","script-src","base-uri","form-action","report-to","script-src-elem","style-src","font-src","img-src","connect-src","media-src","worker-src","frame-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","*.access.mcas-gov.ms":"host-source","*.access.mcas.ms":"host-source","*.azureedge.net":"host-source","*.azurewebsites.net":"host-source","*.bitmovin.com":"host-source","*.blob.core.windows.net":"host-source","*.events.data.microsoft.com":"host-source","*.japanwest.streaming.mediakind.com":"host-source","*.live.com":"host-source","*.ltimindtree.com":"host-source","*.microsoftonline.com":"host-source","*.msauth.net":"host-source","*.officeapps.live.com":"host-source","*.prodc.mkio.tv3cloud.com":"host-source","*.shotclasses.com":"host-source","*.slideshare.net":"host-source","*.typekit.net":"host-source","*.youtube.com":"host-source","*.ytimg.com":"host-source","blob:":"scheme-source","data:":"scheme-source","https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net":"host-source","https://devshotclassessignalr.service.signalr.net":"host-source","https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com":"host-source","https://i.ytimg.com":"host-source","https://p.typekit.net":"host-source","https://prod1shotclassstorage.blob.core.windows.net":"host-source","https://prodblob.shotclasses.com":"host-source","https://services1.shotclasses.com":"host-source","https://use.typekit.net":"host-source","wss://devshotclassessignalr.service.signalr.net":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self'; script-src-elem 'self' *.ltimindtree.com *.msauth.net; style-src 'self' 'unsafe-inline' https://p.typekit.net https://use.typekit.net; object-src 'none'; base-uri 'none'; connect-src 'self' *.access.mcas-gov.ms *.access.mcas.ms *.azureedge.net *.azurewebsites.net *.bitmovin.com *.events.data.microsoft.com *.japanwest.streaming.mediakind.com *.live.com *.microsoftonline.com *.prodc.mkio.tv3cloud.com *.shotclasses.com blob: https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net https://devshotclassessignalr.service.signalr.net https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com https://prod1shotclassstorage.blob.core.windows.net https://services1.shotclasses.com wss://devshotclassessignalr.service.signalr.net; font-src 'self' *.typekit.net; form-action 'self'; frame-src 'self' *.officeapps.live.com *.slideshare.net *.youtube.com https://prodblob.shotclasses.com; img-src 'self' *.blob.core.windows.net *.youtube.com *.ytimg.com data: https://i.ytimg.com; media-src 'self' blob:; report-to 'self'; worker-src 'self' blob:;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a195353cdd4ec8a348c11cc","ts":"2026-05-29T08:50:27.877Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://portal1.shotclasses.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self'; object-src 'none'; script-src 'self'; base-uri 'none'; form-action 'self'; report-to 'self'; script-src-elem 'self' *.ltimindtree.com *.msauth.net https://ajax.googleapis.com 'sha256-Jyql8M9LQNpaXbDAtQO+HGwRwXoeYBTo96++LGdLnJg=' 'sha256-jB0j8u1bZgEKlg/cxZdEG1dZHWv0L0lN11vFQ3Hj0os=' 'sha256-EOiU1DmdCeiViHgptIZ2m92+1KJqfqmOo0pYGSuYrD8='; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://use.typekit.net https://p.typekit.net; font-src 'self' *.typekit.net; img-src 'self' data: *.blob.core.windows.net *.youtube.com *.ytimg.com https://i.ytimg.com https://img-c.udemycdn.com; connect-src 'self' *.shotclasses.com *.azurewebsites.net *.azureedge.net *.prodc.mkio.tv3cloud.com *.azureedge.net *.bitmovin.com *.microsoftonline.com *.live.com *.access.mcas.ms *.access.mcas-gov.ms *.events.data.microsoft.com *.events.data.microsoft.com *.japanwest.streaming.mediakind.com https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net https://prod1shotclassstorage.blob.core.windows.net wss://devshotclassessignalr.service.signalr.net https://devshotclassessignalr.service.signalr.net https://services1.shotclasses.com; media-src 'self' blob:; worker-src 'self' blob:; frame-src 'self' *.officeapps.live.com *.youtube.com https://prodblob.shotclasses.com *.blob.core.windows.net *.slideshare.net;frame-ancestors 'self';","directives":{"base-uri":["'none'"],"connect-src":["'self'","*.access.mcas-gov.ms","*.access.mcas.ms","*.azureedge.net","*.azureedge.net","*.azurewebsites.net","*.bitmovin.com","*.events.data.microsoft.com","*.events.data.microsoft.com","*.japanwest.streaming.mediakind.com","*.live.com","*.microsoftonline.com","*.prodc.mkio.tv3cloud.com","*.shotclasses.com","https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net","https://devshotclassessignalr.service.signalr.net","https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com","https://prod1shotclassstorage.blob.core.windows.net","https://services1.shotclasses.com","wss://devshotclassessignalr.service.signalr.net"],"default-src":["'self'"],"font-src":["'self'","*.typekit.net"],"form-action":["'self'"],"frame-ancestors":["'self'"],"frame-src":["'self'","*.blob.core.windows.net","*.officeapps.live.com","*.slideshare.net","*.youtube.com","https://prodblob.shotclasses.com"],"img-src":["'self'","*.blob.core.windows.net","*.youtube.com","*.ytimg.com","data:","https://i.ytimg.com","https://img-c.udemycdn.com"],"media-src":["'self'","blob:"],"object-src":["'none'"],"report-to":["'self'"],"script-src":["'self'"],"script-src-elem":["'self'","'sha256-EOiU1DmdCeiViHgptIZ2m92+1KJqfqmOo0pYGSuYrD8='","'sha256-Jyql8M9LQNpaXbDAtQO+HGwRwXoeYBTo96++LGdLnJg='","'sha256-jB0j8u1bZgEKlg/cxZdEG1dZHWv0L0lN11vFQ3Hj0os='","*.ltimindtree.com","*.msauth.net","https://ajax.googleapis.com"],"style-src":["'self'","'unsafe-inline'"],"style-src-elem":["'self'","'unsafe-inline'","https://p.typekit.net","https://use.typekit.net"],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","object-src","script-src","base-uri","form-action","report-to","script-src-elem","style-src","style-src-elem","font-src","img-src","connect-src","media-src","worker-src","frame-src","frame-ancestors"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'sha256-EOiU1DmdCeiViHgptIZ2m92+1KJqfqmOo0pYGSuYrD8='":"hash-source","'sha256-Jyql8M9LQNpaXbDAtQO+HGwRwXoeYBTo96++LGdLnJg='":"hash-source","'sha256-jB0j8u1bZgEKlg/cxZdEG1dZHWv0L0lN11vFQ3Hj0os='":"hash-source","'unsafe-inline'":"keyword-source","*.access.mcas-gov.ms":"host-source","*.access.mcas.ms":"host-source","*.azureedge.net":"host-source","*.azurewebsites.net":"host-source","*.bitmovin.com":"host-source","*.blob.core.windows.net":"host-source","*.events.data.microsoft.com":"host-source","*.japanwest.streaming.mediakind.com":"host-source","*.live.com":"host-source","*.ltimindtree.com":"host-source","*.microsoftonline.com":"host-source","*.msauth.net":"host-source","*.officeapps.live.com":"host-source","*.prodc.mkio.tv3cloud.com":"host-source","*.shotclasses.com":"host-source","*.slideshare.net":"host-source","*.typekit.net":"host-source","*.youtube.com":"host-source","*.ytimg.com":"host-source","blob:":"scheme-source","data:":"scheme-source","https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net":"host-source","https://ajax.googleapis.com":"host-source","https://devshotclassessignalr.service.signalr.net":"host-source","https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com":"host-source","https://i.ytimg.com":"host-source","https://img-c.udemycdn.com":"host-source","https://p.typekit.net":"host-source","https://prod1shotclassstorage.blob.core.windows.net":"host-source","https://prodblob.shotclasses.com":"host-source","https://services1.shotclasses.com":"host-source","https://use.typekit.net":"host-source","wss://devshotclassessignalr.service.signalr.net":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self'; script-src 'self'; script-src-elem 'self' 'sha256-EOiU1DmdCeiViHgptIZ2m92+1KJqfqmOo0pYGSuYrD8=' 'sha256-Jyql8M9LQNpaXbDAtQO+HGwRwXoeYBTo96++LGdLnJg=' 'sha256-jB0j8u1bZgEKlg/cxZdEG1dZHWv0L0lN11vFQ3Hj0os=' *.ltimindtree.com *.msauth.net https://ajax.googleapis.com; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://p.typekit.net https://use.typekit.net; object-src 'none'; base-uri 'none'; connect-src 'self' *.access.mcas-gov.ms *.access.mcas.ms *.azureedge.net *.azurewebsites.net *.bitmovin.com *.events.data.microsoft.com *.japanwest.streaming.mediakind.com *.live.com *.microsoftonline.com *.prodc.mkio.tv3cloud.com *.shotclasses.com https://Prod1MediaKindAFD-cwg8edajgybscefk.a03.azurefd.net https://devshotclassessignalr.service.signalr.net https://ep-prod1streamingendpoint-prod1mediakindservice.westeurope.streaming.mediakind.com https://prod1shotclassstorage.blob.core.windows.net https://services1.shotclasses.com wss://devshotclassessignalr.service.signalr.net; font-src 'self' *.typekit.net; form-action 'self'; frame-ancestors 'self'; frame-src 'self' *.blob.core.windows.net *.officeapps.live.com *.slideshare.net *.youtube.com https://prodblob.shotclasses.com; img-src 'self' *.blob.core.windows.net *.youtube.com *.ytimg.com data: https://i.ytimg.com https://img-c.udemycdn.com; media-src 'self' blob:; report-to 'self'; worker-src 'self' blob:;"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":4,"totalInfo":0},"recommendations":[{"title":"Usage of unsafe-inline outside of script/style/default directive","severity":"LOW","directive":"style-src-elem","source":"'unsafe-inline'","message":"'unsafe-inline' is not valid outside of script-src/style-src/default-src","recommendation":"Delete the unsafe-inline","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a1909f2cdd4ec8a348c11c4","ts":"2026-05-29T03:37:22.181Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://cimbvpn.cimb.com","isHidden":false,"parsedPolicy":{"policy":"default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content","directives":{"base-uri":["'self'"],"block-all-mixed-content":[],"default-src":["'self'","'unsafe-eval'","'unsafe-inline'","blob:","data:"],"frame-ancestors":["'self'"]},"directiveOrder":["default-src","frame-ancestors","base-uri","block-all-mixed-content"],"disposition":"enforce","delivery":"header","sourceMapping":{"'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data:; base-uri 'self'; block-all-mixed-content ; frame-ancestors 'self';"],"stats":{"totalHigh":1,"totalMedium":3,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Usage of permissive scheme-source in sensitive directive","severity":"HIGH","directive":"default-src","source":"data:","message":"Using an unsafe scheme/source in a sensitive directive bypasses the primary benefit of CSP.","recommendation":"Remove the unsafe source/scheme","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing object-src (with non-restrictive default-src)","severity":"MEDIUM","directive":"object-src","source":"","message":"object-src is a sensitive directive that may allow XSS (or similar) if missing.","recommendation":"Set object-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing script-src (with default-src)","severity":"MEDIUM","directive":"script-src","source":"","message":"script-src is a sensitive directive that may allow XSS (or similar) if missing. Right now it is falling back to default-src","recommendation":"Set script-src to 'none' or the bare minimum necessary.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Missing form-action","severity":"LOW","directive":"form-action","source":"","message":"There's no defiend form-action. Sometimes form-action abuse can be used to smuggle tokens and other sensitive information out of a page.","recommendation":"Set form-action to 'none' or 'self', or the the most restrictive possible.","docs":"https://csper.io/docs/directives","docsTitle":"directives"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a18ac0bcdd4ec8a348c11bb","ts":"2026-05-28T20:56:43.757Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://ahorro.segurosliderbci.cl/data","isHidden":false,"parsedPolicy":{"policy":"; script-src 'self' 'report-sample' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'report-sample' 'self' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' 'sha256-XnzaHF/tNgth81us0oO2uUiH1IsEuN/XhNWmYPhiuWI=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' https://cdn.jsdelivr.net https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://embedx.io https://payment-portal-api.trytoku.com; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com data:; frame-src 'self' https://www.google.com https://toku-portal-auth-prod.firebaseapp.com/; frame-ancestors  https://td.doubleclick.net/;; img-src * 'self' data: blob:; manifest-src 'self'; media-src 'self'; report-uri https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1; form-action 'self'; worker-src 'none'","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://embedx.io","https://payment-portal-api.trytoku.com"],"font-src":["'self'","data:","https://cdn.jsdelivr.net","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["https://td.doubleclick.net/"],"frame-src":["'self'","https://toku-portal-auth-prod.firebaseapp.com/","https://www.google.com"],"img-src":["'self'","*","blob:","data:"],"manifest-src":["'self'"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1"],"script-src":["'report-sample'","'self'","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='","https://www.google.com/recaptcha/","https://www.gstatic.com/recaptcha/"],"style-src":["'report-sample'","'self'","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='","'sha256-XnzaHF/tNgth81us0oO2uUiH1IsEuN/XhNWmYPhiuWI='","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='","https://cdn.jsdelivr.net","https://fonts.googleapis.com"],"worker-src":["'none'"]},"directiveOrder":["script-src","style-src","object-src","base-uri","connect-src","font-src","frame-src","frame-ancestors","img-src","manifest-src","media-src","report-uri","form-action","worker-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='":"hash-source","'sha256-XnzaHF/tNgth81us0oO2uUiH1IsEuN/XhNWmYPhiuWI='":"hash-source","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='":"hash-source","*":"host-source","blob:":"scheme-source","data:":"scheme-source","https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1":"host-source","https://cdn.jsdelivr.net":"host-source","https://embedx.io":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://payment-portal-api.trytoku.com":"host-source","https://td.doubleclick.net/":"host-source","https://toku-portal-auth-prod.firebaseapp.com/":"host-source","https://www.google.com":"host-source","https://www.google.com/recaptcha/":"host-source","https://www.gstatic.com/recaptcha/":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'report-sample' 'self' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'report-sample' 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-XnzaHF/tNgth81us0oO2uUiH1IsEuN/XhNWmYPhiuWI=' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' https://cdn.jsdelivr.net https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://embedx.io https://payment-portal-api.trytoku.com; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com; form-action 'self'; frame-ancestors https://td.doubleclick.net/; frame-src 'self' https://toku-portal-auth-prod.firebaseapp.com/ https://www.google.com; img-src 'self' * blob: data:; manifest-src 'self'; media-src 'self'; report-uri https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1; worker-src 'none';"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"6a18a92ff635243d449c3fd5","ts":"2026-05-28T20:44:31.388Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://ahorro.segurosliderbci.cl/data","isHidden":false,"parsedPolicy":{"policy":"; script-src 'self' 'report-sample' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'report-sample' 'self' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' 'sha256-XnzaHF/tNgth81us0oO2uUiH1IsEuN/XhNWmYPhiuWI=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' https://cdn.jsdelivr.net https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://embedx.io https://payment-portal-api.trytoku.com; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com data:; frame-src 'self' https://www.google.com https://toku-portal-auth-prod.firebaseapp.com/; frame-ancestors  https://td.doubleclick.net/;; img-src * 'self' data: blob:; manifest-src 'self'; media-src 'self'; report-uri https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1; form-action 'self'; worker-src 'none'","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://embedx.io","https://payment-portal-api.trytoku.com"],"font-src":["'self'","data:","https://cdn.jsdelivr.net","https://fonts.gstatic.com"],"form-action":["'self'"],"frame-ancestors":["https://td.doubleclick.net/"],"frame-src":["'self'","https://toku-portal-auth-prod.firebaseapp.com/","https://www.google.com"],"img-src":["'self'","*","blob:","data:"],"manifest-src":["'self'"],"media-src":["'self'"],"object-src":["'none'"],"report-uri":["https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1"],"script-src":["'report-sample'","'self'","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='","https://www.google.com/recaptcha/","https://www.gstatic.com/recaptcha/"],"style-src":["'report-sample'","'self'","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='","'sha256-XnzaHF/tNgth81us0oO2uUiH1IsEuN/XhNWmYPhiuWI='","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='","https://cdn.jsdelivr.net","https://fonts.googleapis.com"],"worker-src":["'none'"]},"directiveOrder":["script-src","style-src","object-src","base-uri","connect-src","font-src","frame-src","frame-ancestors","img-src","manifest-src","media-src","report-uri","form-action","worker-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='":"hash-source","'sha256-XnzaHF/tNgth81us0oO2uUiH1IsEuN/XhNWmYPhiuWI='":"hash-source","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='":"hash-source","*":"host-source","blob:":"scheme-source","data:":"scheme-source","https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1":"host-source","https://cdn.jsdelivr.net":"host-source","https://embedx.io":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://payment-portal-api.trytoku.com":"host-source","https://td.doubleclick.net/":"host-source","https://toku-portal-auth-prod.firebaseapp.com/":"host-source","https://www.google.com":"host-source","https://www.google.com/recaptcha/":"host-source","https://www.gstatic.com/recaptcha/":"host-source"}},"disposition":"enforce","source":"header","policies":["script-src 'report-sample' 'self' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'report-sample' 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-XnzaHF/tNgth81us0oO2uUiH1IsEuN/XhNWmYPhiuWI=' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' https://cdn.jsdelivr.net https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self' https://embedx.io https://payment-portal-api.trytoku.com; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com; form-action 'self'; frame-ancestors https://td.doubleclick.net/; frame-src 'self' https://toku-portal-auth-prod.firebaseapp.com/ https://www.google.com; img-src 'self' * blob: data:; manifest-src 'self'; media-src 'self'; report-uri https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1; worker-src 'none';"],"stats":{"totalHigh":0,"totalMedium":0,"totalLow":0,"totalInfo":0},"recommendations":[]},{"id":"6a18a1cccdd4ec8a348c11ba","ts":"2026-05-28T20:13:00.16Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://truepayusa.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'nonce-nEqwqI3ir1Y3N4YVArkp89' 'unsafe-eval' https://challenges.cloudflare.com; script-src-attr 'none'; style-src 'unsafe-inline'; img-src 'self' https://challenges.cloudflare.com; connect-src 'self' https://challenges.cloudflare.com; frame-src 'self' https://challenges.cloudflare.com blob:; child-src 'self' https://challenges.cloudflare.com blob:; worker-src blob:; form-action http: https:; base-uri 'self'","directives":{"base-uri":["'self'"],"child-src":["'self'","blob:","https://challenges.cloudflare.com"],"connect-src":["'self'","https://challenges.cloudflare.com"],"default-src":["'none'"],"form-action":["http:","https:"],"frame-src":["'self'","blob:","https://challenges.cloudflare.com"],"img-src":["'self'","https://challenges.cloudflare.com"],"script-src":["'nonce-nEqwqI3ir1Y3N4YVArkp89'","'unsafe-eval'","https://challenges.cloudflare.com"],"script-src-attr":["'none'"],"style-src":["'unsafe-inline'"],"worker-src":["blob:"]},"directiveOrder":["default-src","script-src","script-src-attr","style-src","img-src","connect-src","frame-src","child-src","worker-src","form-action","base-uri"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-nEqwqI3ir1Y3N4YVArkp89'":"nonce-source","'none'":"keyword-source","'self'":"keyword-source","'unsafe-eval'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","http:":"scheme-source","https:":"scheme-source","https://challenges.cloudflare.com":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'nonce-nEqwqI3ir1Y3N4YVArkp89' 'unsafe-eval' https://challenges.cloudflare.com; script-src-attr 'none'; style-src 'unsafe-inline'; base-uri 'self'; child-src 'self' blob: https://challenges.cloudflare.com; connect-src 'self' https://challenges.cloudflare.com; form-action http: https:; frame-src 'self' blob: https://challenges.cloudflare.com; img-src 'self' https://challenges.cloudflare.com; worker-src blob:;"],"stats":{"totalHigh":0,"totalMedium":4,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Unsafe usage of unsafe-eval","severity":"MEDIUM","directive":"script-src","source":"'unsafe-eval'","message":"Using 'unsafe-eval' can sometimes allow arbitrary javascript execution.","recommendation":"Remove 'unsafe-eval' from the script-src. This may require some refactoring or changing of libraries.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://challenges.cloudflare.com","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"form-action","source":"http:","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a18735d3ab8d6d37c5b5e0e","ts":"2026-05-28T16:54:53.217Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://aurora-uat1.consilio.com/","isHidden":false,"parsedPolicy":{"policy":"default-src 'self' https://*.consilio.com; script-src 'self' https://www.googletagmanager.com/ https://www.google-analytics.com/ https://*.consilio.com https://cmp.osano.com/; style-src 'self' 'unsafe-inline' https://*.consilio.com; img-src 'self' data: https://www.google-analytics.com/ https://www.googletagmanager.com/ https://*.consilio.com https://flagcdn.com https://fonts.gstatic.com https://gateway.zscalerthree.net/; font-src 'self' data: https://*.consilio.com; connect-src 'self' https://www.google-analytics.com/ https://region1.google-analytics.com/ https://www.googletagmanager.com/ https://*.consilio.com https://login.microsoftonline.com https://*.osano.com/ http://127.0.0.1:12680  https://127.0.0.1:12680 https://localhost:12680; frame-src https://www.googletagmanager.com/ https://*.consilio.com https://app.powerbi.com; object-src 'none'; frame-ancestors 'none'; base-uri 'self' https://*.consilio.com; form-action 'self' https://*.consilio.com; worker-src 'self' blob:;","directives":{"base-uri":["'self'","https://*.consilio.com"],"connect-src":["'self'","http://127.0.0.1:12680","https://*.consilio.com","https://*.osano.com/","https://127.0.0.1:12680","https://localhost:12680","https://login.microsoftonline.com","https://region1.google-analytics.com/","https://www.google-analytics.com/","https://www.googletagmanager.com/"],"default-src":["'self'","https://*.consilio.com"],"font-src":["'self'","data:","https://*.consilio.com"],"form-action":["'self'","https://*.consilio.com"],"frame-ancestors":["'none'"],"frame-src":["https://*.consilio.com","https://app.powerbi.com","https://www.googletagmanager.com/"],"img-src":["'self'","data:","https://*.consilio.com","https://flagcdn.com","https://fonts.gstatic.com","https://gateway.zscalerthree.net/","https://www.google-analytics.com/","https://www.googletagmanager.com/"],"object-src":["'none'"],"script-src":["'self'","https://*.consilio.com","https://cmp.osano.com/","https://www.google-analytics.com/","https://www.googletagmanager.com/"],"style-src":["'self'","'unsafe-inline'","https://*.consilio.com"],"worker-src":["'self'","blob:"]},"directiveOrder":["default-src","script-src","style-src","img-src","font-src","connect-src","frame-src","object-src","frame-ancestors","base-uri","form-action","worker-src"],"disposition":"enforce","delivery":"header","sourceMapping":{"'none'":"keyword-source","'self'":"keyword-source","'unsafe-inline'":"keyword-source","blob:":"scheme-source","data:":"scheme-source","http://127.0.0.1:12680":"host-source","https://*.consilio.com":"host-source","https://*.osano.com/":"host-source","https://127.0.0.1:12680":"host-source","https://app.powerbi.com":"host-source","https://cmp.osano.com/":"host-source","https://flagcdn.com":"host-source","https://fonts.gstatic.com":"host-source","https://gateway.zscalerthree.net/":"host-source","https://localhost:12680":"host-source","https://login.microsoftonline.com":"host-source","https://region1.google-analytics.com/":"host-source","https://www.google-analytics.com/":"host-source","https://www.googletagmanager.com/":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'self' https://*.consilio.com; script-src 'self' https://*.consilio.com https://cmp.osano.com/ https://www.google-analytics.com/ https://www.googletagmanager.com/; style-src 'self' 'unsafe-inline' https://*.consilio.com; object-src 'none'; base-uri 'self' https://*.consilio.com; connect-src 'self' http://127.0.0.1:12680 https://*.consilio.com https://*.osano.com/ https://127.0.0.1:12680 https://localhost:12680 https://login.microsoftonline.com https://region1.google-analytics.com/ https://www.google-analytics.com/ https://www.googletagmanager.com/; font-src 'self' data: https://*.consilio.com; form-action 'self' https://*.consilio.com; frame-ancestors 'none'; frame-src https://*.consilio.com https://app.powerbi.com https://www.googletagmanager.com/; img-src 'self' data: https://*.consilio.com https://flagcdn.com https://fonts.gstatic.com https://gateway.zscalerthree.net/ https://www.google-analytics.com/ https://www.googletagmanager.com/; worker-src 'self' blob:;"],"stats":{"totalHigh":0,"totalMedium":10,"totalLow":3,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://cmp.osano.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Invalid use of IP address in source","severity":"MEDIUM","directive":"connect-src","source":"https://127.0.0.1:12680","message":"It is invalid to use an IP address as a source. Please use the DNS name. (127.0.0.1 is valid, but should not be used in production)","recommendation":"Convert all IP address to DNS names","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://*.consilio.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"base-uri","source":"https://*.consilio.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Wildcard in origin for sensitive directive","severity":"MEDIUM","directive":"default-src","source":"https://*.consilio.com","message":"It's best to minimize the locations from where sensitive content can be loaded from. A wildcard in a domain can open up the possibility of a number of tricky attacks including JSONP, redirects, insecure libs and more.","recommendation":"Restrict domains to the host if possible.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Invalid use of IP address in source","severity":"MEDIUM","directive":"connect-src","source":"http://127.0.0.1:12680","message":"It is invalid to use an IP address as a source. Please use the DNS name. (127.0.0.1 is valid, but should not be used in production)","recommendation":"Convert all IP address to DNS names","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.google-analytics.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://www.googletagmanager.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing reporting endpoint","severity":"MEDIUM","directive":"report-uri","source":"","message":"Reporting endpoints give website owners into when and where their CSP policy isn't working correctly.","recommendation":"Start using a reporting endpoint to capture and analyze your CSP violations. https://csper.io is a reporting endpoint.","docs":"https://csper.io/docs/report-uri","docsTitle":"report-uri"},{"title":"Non-encrypted loading of external assets (http: / ws:)","severity":"MEDIUM","directive":"connect-src","source":"http://127.0.0.1:12680","message":"Allowing content over insecure channels can allow allow snooping and tampering of data","recommendation":"Ensure that all content is loaded over secure channels. Remove http: and ws:","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Unsafe usage of unsafe-inline on style-src","severity":"LOW","directive":"style-src","source":"'unsafe-inline'","message":"Using 'unsafe-inline' on style-src allows injection of CSS. This potentially leaves the website open to styling attacks and complex info leaks.","recommendation":"Remove 'unsafe-inline' from the style-src. This might require some refactoring.","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"script-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"},{"title":"Missing 'report-sample'","severity":"LOW","directive":"style-src","source":"report-sample","message":"'report-sample' is a keyword that instructs the browser to include the first 40 characters of the violating inline resource in the report-uri violation report. This can greatly help debug which resources are causing a violation.","recommendation":"Consider adding 'report-sample' to the directive group (script-src/style-src).","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]},{"id":"6a1863b83ab8d6d37c5b5e0d","ts":"2026-05-28T15:48:08.901Z","ProjectID":"000000000000000000000000","PolicyID":"000000000000000000000000","isURL":true,"URL":"https://soap.sbseguros.cl","isHidden":false,"parsedPolicy":{"policy":"default-src 'none'; script-src 'report-sample' 'self' 'nonce-2be750de4b21821f1580135cb0e99829' 'sha256-NziETJxYU3QPY4drUTfz3CQb3Kdrdy+cfSiBrvfgqMk=' 'sha256-9U10x0umstX2PwqDuJcFu6XuusZFzJTynDzxmk9LqC0=' 'sha256-A4SWH9KZi9g1aG+lg/eX5mKCW5wM76+T2fe7Cz+F7eg=' 'sha256-PaC6xY1sPc3RvpviRyC7hWNEXok/kV+yZ6A10gVtaks=' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' 'sha256-AcR+h3+aeKtaw2xCtDVoIQuATxKlPEFf9vEoBuJ7LfY=' 'sha256-Z4WlZ7c18IhihWi9E6O6NXmzc+SJOCqbIPKRSZqbI6E=' https://www.googletagmanager.com/debug/ https://www.googletagmanager.com/gtag/ https://googleads.g.doubleclick.net/pagead/ https://www.google.com/ccm/collect https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtm.js https://www.google.com/recaptcha/api.js https://www.gstatic.com/recaptcha/releases/ https://www.recaptcha.net/recaptcha/api.js https://analytics.tiktok.com/i18n/pixel/events.js https://analytics.tiktok.com/i18n/pixel/static/ https://connect.facebook.net/en_US/fbevents.js https://connect.facebook.net/signals/ https://ads01.groovinads.com/ https://static.hotjar.com/c/ https://www.clarity.ms/tag/ https://scripts.clarity.ms/0.8.57/clarity.js; object-src 'none'; base-uri 'self'; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com data:; frame-src 'self' https://ads01.groovinads.com/grv/ https://www.google.com https://www.googletagmanager.com https://tagassistant.google.com; frame-ancestors 'none'; img-src * 'self' data: blob: https://googletagmanager.com https://ads01.groovinads.com/ https://ssl.gstatic.com https://www.gstatic.com; style-src 'self' 'nonce-89b906dc7e81001d8b975828a9a97b0c' 'sha256-QGU9B7FUA05/o+j0WTqzhmrVQtxVOddl/DoC66RoyOM=' 'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A=' 'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4=' 'sha256-+2IDGbC7ZZROnE79uLRezet3L0yclBb0/DMZlchxq7g=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' https://fonts.googleapis.com https://www.googletagmanager.com/debug/ 'report-sample';; manifest-src 'self'; media-src 'self'; report-uri https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1; worker-src 'none'; form-action 'self' https://webpay3g.transbank.cl; connect-src 'self' https://perk.cl https://embedx.io https://ads01.groovinads.com/ https://www.googletagmanager.com/debug/ https://analytics.google.com/g/collect https://www.googletagmanager.com/gtag/js https://www.google.com https://stats.g.doubleclick.net/g/collect https://www.gstatic.com https://www.google-analytics.com https://www.recaptcha.net https://d.clarity.ms/collect https://63ee9d651110c9e871bfe9b7.endpoint.csper.io;; report-to csp-endpoint;","directives":{"base-uri":["'self'"],"connect-src":["'self'","https://63ee9d651110c9e871bfe9b7.endpoint.csper.io","https://ads01.groovinads.com/","https://analytics.google.com/g/collect","https://d.clarity.ms/collect","https://embedx.io","https://perk.cl","https://stats.g.doubleclick.net/g/collect","https://www.google-analytics.com","https://www.google.com","https://www.googletagmanager.com/debug/","https://www.googletagmanager.com/gtag/js","https://www.gstatic.com","https://www.recaptcha.net"],"default-src":["'none'"],"font-src":["'self'","data:","https://cdn.jsdelivr.net","https://fonts.gstatic.com"],"form-action":["'self'","https://webpay3g.transbank.cl"],"frame-ancestors":["'none'"],"frame-src":["'self'","https://ads01.groovinads.com/grv/","https://tagassistant.google.com","https://www.google.com","https://www.googletagmanager.com"],"img-src":["'self'","*","blob:","data:","https://ads01.groovinads.com/","https://googletagmanager.com","https://ssl.gstatic.com","https://www.gstatic.com"],"manifest-src":["'self'"],"media-src":["'self'"],"object-src":["'none'"],"report-to":["csp-endpoint"],"report-uri":["https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1"],"script-src":["'nonce-2be750de4b21821f1580135cb0e99829'","'report-sample'","'self'","'sha256-9U10x0umstX2PwqDuJcFu6XuusZFzJTynDzxmk9LqC0='","'sha256-A4SWH9KZi9g1aG+lg/eX5mKCW5wM76+T2fe7Cz+F7eg='","'sha256-AcR+h3+aeKtaw2xCtDVoIQuATxKlPEFf9vEoBuJ7LfY='","'sha256-NziETJxYU3QPY4drUTfz3CQb3Kdrdy+cfSiBrvfgqMk='","'sha256-PaC6xY1sPc3RvpviRyC7hWNEXok/kV+yZ6A10gVtaks='","'sha256-Z4WlZ7c18IhihWi9E6O6NXmzc+SJOCqbIPKRSZqbI6E='","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='","https://ads01.groovinads.com/","https://analytics.tiktok.com/i18n/pixel/events.js","https://analytics.tiktok.com/i18n/pixel/static/","https://connect.facebook.net/en_US/fbevents.js","https://connect.facebook.net/signals/","https://googleads.g.doubleclick.net/pagead/","https://scripts.clarity.ms/0.8.57/clarity.js","https://static.hotjar.com/c/","https://www.clarity.ms/tag/","https://www.google-analytics.com/analytics.js","https://www.google.com/ccm/collect","https://www.google.com/recaptcha/api.js","https://www.googletagmanager.com/debug/","https://www.googletagmanager.com/gtag/","https://www.googletagmanager.com/gtm.js","https://www.gstatic.com/recaptcha/releases/","https://www.recaptcha.net/recaptcha/api.js"],"style-src":["'nonce-89b906dc7e81001d8b975828a9a97b0c'","'report-sample'","'self'","'sha256-+2IDGbC7ZZROnE79uLRezet3L0yclBb0/DMZlchxq7g='","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='","'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4='","'sha256-QGU9B7FUA05/o+j0WTqzhmrVQtxVOddl/DoC66RoyOM='","'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A='","https://fonts.googleapis.com","https://www.googletagmanager.com/debug/"],"worker-src":["'none'"]},"directiveOrder":["default-src","script-src","object-src","base-uri","font-src","frame-src","frame-ancestors","img-src","style-src","manifest-src","media-src","report-uri","worker-src","form-action","connect-src","report-to"],"disposition":"enforce","delivery":"header","sourceMapping":{"'nonce-2be750de4b21821f1580135cb0e99829'":"nonce-source","'nonce-89b906dc7e81001d8b975828a9a97b0c'":"nonce-source","'none'":"keyword-source","'report-sample'":"keyword-source","'self'":"keyword-source","'sha256-+2IDGbC7ZZROnE79uLRezet3L0yclBb0/DMZlchxq7g='":"hash-source","'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='":"hash-source","'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4='":"hash-source","'sha256-9U10x0umstX2PwqDuJcFu6XuusZFzJTynDzxmk9LqC0='":"hash-source","'sha256-A4SWH9KZi9g1aG+lg/eX5mKCW5wM76+T2fe7Cz+F7eg='":"hash-source","'sha256-AcR+h3+aeKtaw2xCtDVoIQuATxKlPEFf9vEoBuJ7LfY='":"hash-source","'sha256-NziETJxYU3QPY4drUTfz3CQb3Kdrdy+cfSiBrvfgqMk='":"hash-source","'sha256-PaC6xY1sPc3RvpviRyC7hWNEXok/kV+yZ6A10gVtaks='":"hash-source","'sha256-QGU9B7FUA05/o+j0WTqzhmrVQtxVOddl/DoC66RoyOM='":"hash-source","'sha256-Z4WlZ7c18IhihWi9E6O6NXmzc+SJOCqbIPKRSZqbI6E='":"hash-source","'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU='":"hash-source","'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A='":"hash-source","*":"host-source","blob:":"scheme-source","csp-endpoint":"host-source","data:":"scheme-source","https://63ee9d651110c9e871bfe9b7.endpoint.csper.io":"host-source","https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1":"host-source","https://ads01.groovinads.com/":"host-source","https://ads01.groovinads.com/grv/":"host-source","https://analytics.google.com/g/collect":"host-source","https://analytics.tiktok.com/i18n/pixel/events.js":"host-source","https://analytics.tiktok.com/i18n/pixel/static/":"host-source","https://cdn.jsdelivr.net":"host-source","https://connect.facebook.net/en_US/fbevents.js":"host-source","https://connect.facebook.net/signals/":"host-source","https://d.clarity.ms/collect":"host-source","https://embedx.io":"host-source","https://fonts.googleapis.com":"host-source","https://fonts.gstatic.com":"host-source","https://googleads.g.doubleclick.net/pagead/":"host-source","https://googletagmanager.com":"host-source","https://perk.cl":"host-source","https://scripts.clarity.ms/0.8.57/clarity.js":"host-source","https://ssl.gstatic.com":"host-source","https://static.hotjar.com/c/":"host-source","https://stats.g.doubleclick.net/g/collect":"host-source","https://tagassistant.google.com":"host-source","https://webpay3g.transbank.cl":"host-source","https://www.clarity.ms/tag/":"host-source","https://www.google-analytics.com":"host-source","https://www.google-analytics.com/analytics.js":"host-source","https://www.google.com":"host-source","https://www.google.com/ccm/collect":"host-source","https://www.google.com/recaptcha/api.js":"host-source","https://www.googletagmanager.com":"host-source","https://www.googletagmanager.com/debug/":"host-source","https://www.googletagmanager.com/gtag/":"host-source","https://www.googletagmanager.com/gtag/js":"host-source","https://www.googletagmanager.com/gtm.js":"host-source","https://www.gstatic.com":"host-source","https://www.gstatic.com/recaptcha/releases/":"host-source","https://www.recaptcha.net":"host-source","https://www.recaptcha.net/recaptcha/api.js":"host-source"}},"disposition":"enforce","source":"header","policies":["default-src 'none'; script-src 'nonce-2be750de4b21821f1580135cb0e99829' 'report-sample' 'self' 'sha256-9U10x0umstX2PwqDuJcFu6XuusZFzJTynDzxmk9LqC0=' 'sha256-A4SWH9KZi9g1aG+lg/eX5mKCW5wM76+T2fe7Cz+F7eg=' 'sha256-AcR+h3+aeKtaw2xCtDVoIQuATxKlPEFf9vEoBuJ7LfY=' 'sha256-NziETJxYU3QPY4drUTfz3CQb3Kdrdy+cfSiBrvfgqMk=' 'sha256-PaC6xY1sPc3RvpviRyC7hWNEXok/kV+yZ6A10gVtaks=' 'sha256-Z4WlZ7c18IhihWi9E6O6NXmzc+SJOCqbIPKRSZqbI6E=' 'sha256-ieoeWczDHkReVBsRBqaal5AFMlBtNjMzgwKvLqi/tSU=' https://ads01.groovinads.com/ https://analytics.tiktok.com/i18n/pixel/events.js https://analytics.tiktok.com/i18n/pixel/static/ https://connect.facebook.net/en_US/fbevents.js https://connect.facebook.net/signals/ https://googleads.g.doubleclick.net/pagead/ https://scripts.clarity.ms/0.8.57/clarity.js https://static.hotjar.com/c/ https://www.clarity.ms/tag/ https://www.google-analytics.com/analytics.js https://www.google.com/ccm/collect https://www.google.com/recaptcha/api.js https://www.googletagmanager.com/debug/ https://www.googletagmanager.com/gtag/ https://www.googletagmanager.com/gtm.js https://www.gstatic.com/recaptcha/releases/ https://www.recaptcha.net/recaptcha/api.js; style-src 'nonce-89b906dc7e81001d8b975828a9a97b0c' 'report-sample' 'self' 'sha256-+2IDGbC7ZZROnE79uLRezet3L0yclBb0/DMZlchxq7g=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4=' 'sha256-QGU9B7FUA05/o+j0WTqzhmrVQtxVOddl/DoC66RoyOM=' 'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A=' https://fonts.googleapis.com https://www.googletagmanager.com/debug/; object-src 'none'; base-uri 'self'; connect-src 'self' https://63ee9d651110c9e871bfe9b7.endpoint.csper.io https://ads01.groovinads.com/ https://analytics.google.com/g/collect https://d.clarity.ms/collect https://embedx.io https://perk.cl https://stats.g.doubleclick.net/g/collect https://www.google-analytics.com https://www.google.com https://www.googletagmanager.com/debug/ https://www.googletagmanager.com/gtag/js https://www.gstatic.com https://www.recaptcha.net; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com; form-action 'self' https://webpay3g.transbank.cl; frame-ancestors 'none'; frame-src 'self' https://ads01.groovinads.com/grv/ https://tagassistant.google.com https://www.google.com https://www.googletagmanager.com; img-src 'self' * blob: data: https://ads01.groovinads.com/ https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com; manifest-src 'self'; media-src 'self'; report-to csp-endpoint; report-uri https://63ee9d651110c9e871bfe9b7.endpoint.csper.io/?v=1; worker-src 'none';"],"stats":{"totalHigh":0,"totalMedium":1,"totalLow":0,"totalInfo":0},"recommendations":[{"title":"Missing path on source for sensitive directive","severity":"MEDIUM","directive":"script-src","source":"https://ads01.groovinads.com/","message":"For sensitive directives, it's best to explicitly define the resource (including the path). This will help minimize attacks such as JSONP, redirects and other CSP bypasses.","recommendation":"For sensitive resources, explicitly define the full paths.","docs":"https://csper.io/docs/sources","docsTitle":"sources"}]}]