Helmet Content-Security-Policy disabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
helmet is configured with contentSecurityPolicy: false, so the app ships no CSP and loses its main defense-in-depth against XSS.
Why it matters
Setting contentSecurityPolicy: false in helmet ships your app with no Content-Security-Policy at all. CSP is the main defense-in-depth layer that limits what an injected script can do, so disabling it means any XSS has full run of the page. It is often flipped off during debugging and left off.
How to fix it
Remove contentSecurityPolicy: false and configure a real policy instead. Start from helmet defaults and tighten script-src/style-src to your own origins plus nonces or hashes for anything inline. Deploy in report-only mode first, watch the violation reports, then enforce. Keep the policy in code so it is reviewed like the rest of the app.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo