diff --git a/src/Umbraco.Core/Constants-HealthChecks.cs b/src/Umbraco.Core/Constants-HealthChecks.cs
index bb18145401e9..d4b35f4e0492 100644
--- a/src/Umbraco.Core/Constants-HealthChecks.cs
+++ b/src/Umbraco.Core/Constants-HealthChecks.cs
@@ -52,6 +52,7 @@ public static class Security
[Obsolete("This link is not used anymore in the XSS protected check.")]
public const string XssProtectionCheck = "https://umbra.co/healthchecks-xss-protection";
public const string ExcessiveHeadersCheck = "https://umbra.co/healthchecks-excessive-headers";
+ public const string CspHeaderCheck = "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP";
public static class HttpsCheck
{
diff --git a/src/Umbraco.Core/EmbeddedResources/Lang/en.xml b/src/Umbraco.Core/EmbeddedResources/Lang/en.xml
index 893ab7c242d6..c05ea72cfcac 100644
--- a/src/Umbraco.Core/EmbeddedResources/Lang/en.xml
+++ b/src/Umbraco.Core/EmbeddedResources/Lang/en.xml
@@ -467,6 +467,12 @@
You can read about this on the Mozilla website ]]>
X-XSS-Protection was not found.]]>
+
+ Content-Security-Policy (CSP) was found. ]]>
+
+
+ Content-Security-Policy (CSP) used to prevent cross-site scripting (XSS) attacks and other code injection vulnerabilities was not found.]]>
+
%0%.]]>
No headers revealing information about the website technology were found.
diff --git a/src/Umbraco.Core/EmbeddedResources/Lang/en_us.xml b/src/Umbraco.Core/EmbeddedResources/Lang/en_us.xml
index 69558f72dace..dec3809f8dc5 100644
--- a/src/Umbraco.Core/EmbeddedResources/Lang/en_us.xml
+++ b/src/Umbraco.Core/EmbeddedResources/Lang/en_us.xml
@@ -455,6 +455,12 @@
You can read about this on the Mozilla website ]]>
X-XSS-Protection was not found.]]>
+
+ Content-Security-Policy (CSP) was found. ]]>
+
+
+ Content-Security-Policy (CSP) used to prevent cross-site scripting (XSS) attacks and other code injection vulnerabilities was not found.]]>
+
%0%.]]>
No headers revealing information about the website technology were found.
diff --git a/src/Umbraco.Core/HealthChecks/Checks/Security/CspCheck.cs b/src/Umbraco.Core/HealthChecks/Checks/Security/CspCheck.cs
new file mode 100644
index 000000000000..1ac8cf56f4b6
--- /dev/null
+++ b/src/Umbraco.Core/HealthChecks/Checks/Security/CspCheck.cs
@@ -0,0 +1,31 @@
+// Copyright (c) Umbraco.
+// See LICENSE for more details.
+
+using Umbraco.Cms.Core.Hosting;
+using Umbraco.Cms.Core.Services;
+
+namespace Umbraco.Cms.Core.HealthChecks.Checks.Security;
+
+///
+/// Health check for the recommended production setup regarding the content-security-policy header.
+///
+[HealthCheck(
+ "10BEBF47-C128-4C5E-9680-5059BEAFBBDF",
+ "Content Security Policy (CSP)",
+ Description = "Checks whether the site contains a Content-Security-Policy (CSP) header.",
+ Group = "Security")]
+public class CspCheck : BaseHttpHeaderCheck
+{
+ private const string LocalizationPrefix = "contentSecurityPolicy";
+
+ ///
+ /// Initializes a new instance of the class.
+ ///
+ public CspCheck(IHostingEnvironment hostingEnvironment, ILocalizedTextService textService)
+ : base(hostingEnvironment, textService, "Content-Security-Policy", LocalizationPrefix, false, false)
+ {
+ }
+
+ ///
+ protected override string ReadMoreLink => Constants.HealthChecks.DocumentationLinks.Security.CspHeaderCheck;
+}