Fix guide · medium · auth_page_missing_csp

Auth page missing Content-Security-Policy

Why it matters

Without CSP, any reflected or stored XSS reaches the password form and exfiltrates credentials. CSP severely restricts what scripts can run.

How to fix it

Add a strict CSP. A reasonable starting point:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

Adjust per your needs. Use csp-evaluator.withgoogle.com to grade it.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.