How do I fix missing content security policy on Wix?

Wix does not allow custom HTTP response headers on standard Wix-hosted sites via the dashboard. Use Wix's built-in security settings where available: Wix Dashboard → Settings → Security, and enable any available content security options. For Wix sites on a custom domain proxied through Cloudflare, add the CSP header via Cloudflare Transform Rules as described above (Cloudflare Dashboard → Rules → Transform Rules → Modify Response Headers). If you use Wix Velo (formerly Corvid) and have a custom backend, you can set headers on HTTP Functions: in your Velo backend file, return `response.headers.set('Content-Security-Policy', '...')` in your `http-functions.js`. Note: Wix's hosted infrastructure limits full CSP control; a Cloudflare proxy is the most practical enforcement option.

How to fix missing content security policy on Wix

Add a Content-Security-Policy (CSP) response header to every page so browsers block unauthorized scripts, styles, and resources from loading.

Steps for Wix

Wix does not allow custom HTTP response headers on standard Wix-hosted sites via the dashboard.
Use Wix's built-in security settings where available: Wix Dashboard → Settings → Security, and enable any available content security options.
For Wix sites on a custom domain proxied through Cloudflare, add the CSP header via Cloudflare Transform Rules as described above (Cloudflare Dashboard → Rules → Transform Rules → Modify Response Headers).
If you use Wix Velo (formerly Corvid) and have a custom backend, you can set headers on HTTP Functions: in your Velo backend file, return `response.headers.set('Content-Security-Policy', '...')` in your `http-functions.js`.
Note: Wix's hosted infrastructure limits full CSP control; a Cloudflare proxy is the most practical enforcement option.

Official Wix documentation ↗

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; object-src 'none'; frame-ancestors 'none'; base-uri 'self';

What is missing content security policy?

A Content Security Policy (CSP) is an HTTP response header your web server sends to a visitor's browser. It acts like a whitelist, telling the browser exactly which domains and sources are allowed to load scripts, stylesheets, images, fonts, and other content on your site. If a piece of code tries to load from a source not on your list — for example, a malicious script injected by an attacker — the browser simply refuses to run it. Without a CSP header, the browser has no such instructions and will run whatever code it finds on the page.

Without a CSP, your store is significantly more vulnerable to Cross-Site Scripting (XSS) and data-injection attacks — the #3 risk in the OWASP Top Ten. Attackers who find even a small vulnerability in a plugin, theme, or third-party widget can inject malicious scripts that steal customer payment card details, session cookies, or personal data directly from the browser (a technique known as "formjacking" or "Magecart"). A successful attack can result in PCI-DSS compliance failures, card-brand fines, regulatory penalties under GDPR or CCPA, and severe damage to customer trust. Search engines also consider site security as a ranking signal, and a compromised site can be blocklisted by Google, wiping out organic traffic overnight.

See the complete Missing content security policy guide for every platform and the full background.

Not sure if your Wix store has this?

Run a free SEOLZ audit — we’ll find missing content security policy and every other issue across your whole site.

Scan my site free

How to fix missing content security policy on Wix

Steps for Wix

What is missing content security policy?

Not sure if your Wix store has this?

Fix missing content security policy on another platform