Seoxpert.io
Get started
highSecurity

Weak Content Security Policy (unsafe-inline/unsafe-eval)

Your Content Security Policy allows unsafe-inline or unsafe-eval, exposing your site to XSS attacks and negating CSP protection.

By Seoxpert Editorial · Published

Why it matters

A weak Content Security Policy (CSP) with 'unsafe-inline' or 'unsafe-eval' directives leaves your site vulnerable to XSS attacks, risking user data and trust. Search engines may flag or penalize insecure sites, impacting SEO and user confidence.

Impact

Leaving this unresolved allows attackers to execute malicious scripts, compromising site security and user safety.

How it's detected

An automated crawler inspects the Content-Security-Policy HTTP header for the presence of 'unsafe-inline', 'unsafe-eval', or wildcard script sources.

Common causes

  • Using default CSP settings that include 'unsafe-inline' or 'unsafe-eval'
  • Allowing inline scripts without nonces or hashes
  • Including third-party scripts from untrusted sources
  • Using wildcard (*) in script-src directive
  • Legacy code relying on eval() or inline JavaScript

How to fix it

Edit your CSP header to remove 'unsafe-inline' and 'unsafe-eval' from the script-src directive. Use nonces or hashes for inline scripts, e.g., script-src 'nonce-{random}'. Only allow trusted script origins by explicitly listing them. Audit your codebase for inline scripts and refactor them to use external files or nonces.

Code examples

Problematic CSP header

Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' *;

Secure CSP header using nonce

Content-Security-Policy: script-src 'self' 'nonce-abc123' https://trusted.cdn.com;

FAQ

Why is 'unsafe-inline' dangerous in my CSP?

'unsafe-inline' allows any inline script to run, making it easy for attackers to inject malicious code via XSS.

How can I use inline scripts securely with CSP?

Use script nonces or hashes to allow only specific inline scripts, removing the need for 'unsafe-inline'.

What is the risk of keeping 'unsafe-eval' in my CSP?

'unsafe-eval' allows execution of code from strings, which can be exploited by attackers to run arbitrary scripts.

Do I need to refactor all inline scripts?

Yes, to remove 'unsafe-inline', you should refactor inline scripts to use nonces, hashes, or move them to external files.

Found this issue on your site?

Run a scan to see if Weak Content Security Policy (unsafe-inline/unsafe-eval) affects your pages.

Scan my website →