TL;DR: Defense-in-depth. There's a reason a lot of these protections exist in the first place. Please use them.I know most places will auto-categorize a missing Content-Security-Policy (CSP) as an informational severity finding until cross-site scripting (XSS) is found, as there isn't technically a vulnerability (yet). I'm a huge fan of defense-in-depth, so while I support a default low rating, I know it'll never happen to the current specifications and rating schemes. Just keep in mind that ...