Content-Security-Policy hearder not taken into consideration in IIS 10

[Salam Elias]

I have setup the header 

Content-Security-Policy = default-src 'self'; img-src 'self' mysite.fr

When I run "Attack" I still get

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

I am new to this tool, what does this mean and how it can be fixed? Thanks

[kingthorin+zap]

You should generate a report that has a full details of the alert.

Anyway the issue is that while you have a CSP there are some directive that don't fall back to default-src so if you haven't defined them, that's the same as defining them as wildcard.

https://www.zaproxy.org/docs/alerts/10055-13/