What it is
A Content-Security-Policy is a response header that tells the browser exactly which sources it may load scripts, styles, frames, and other content from. Anything outside that allow-list is blocked before it can run.
Why it matters
CSP is the most effective browser-side defense against cross-site scripting (XSS) and content injection, because it constrains where executable content can come from even if an attacker manages to inject markup. A missing policy removes that safety net entirely; an over-broad one (for example allowing `unsafe-inline` or `*`) provides little real protection, so the quality of the policy matters as much as its presence.
How WebGuard checks it
WebGuard reads the Content-Security-Policy header your public pages return and reports whether it is present and whether it is meaningfully restrictive. It is a read-only observation of headers your server already sends.
A sensible starting configuration:
Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'