The Content-Security-Policy header tells the browser which external sites a page is allowed to access for css, javascript, images, etc. It can get flagged by security scans as missing. Tomcat by default sets some reasonable security headers, but the CSP isn't one of them, or even supported at all at the server level. Everyone needing this in Tomcat is expected to write their own servlet filter to add it.