Fix guide · medium · csp_missing_default_src
CSP has no default-src directive
Your Content-Security-Policy header has no default-src and no script-src directive. Fetch directives that aren't explicitly set fall back to default-src; without it, those fetches are unrestricted.
Why it matters
CSP's design assumes you set default-src as the floor and override specific directives where you need different rules. Without default-src, every directive you didn't explicitly set is unrestricted — connect-src, font-src, media-src, worker-src, etc. all permit anything.
Usually this is a CSP that started as a frame-ancestors-only or upgrade-insecure-requests-only policy and never got fleshed out. The visible parts work; the implicit parts are open.
How to fix it
Add default-src 'self' as the floor:
Content-Security-Policy:
default-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self';
frame-ancestors 'none';
base-uri 'self';
form-action 'self'The above is a reasonable starting point. Tighten per directive based on what your app actually needs.
Validate at csp-evaluator.withgoogle.com — paste the policy, look for warnings.
Full guide: /blog/csp-bypass-vibe-coded.
Did vibecheck flag this on your app?
If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.
Run another inspection