we were recently being issued a finding that our website does not have the CSP deployed. We further explore and found that CSP is indeed a practice, but it is not a vulnerability. We understand the benefits implementing it, but we do really need to make a lot of changes in order to get rid of it. On the other side, we are also surprise that many websites don’t adopt it. Therefore the question, is it really necessary?