diff --git a/README.md b/README.md
index d85cb02..c0bd84a 100644
--- a/README.md
+++ b/README.md
@@ -121,7 +121,7 @@ interface HeaderFinding {
| Header | Max Points | Key Checks |
|---|---|---|
| Strict-Transport-Security | 20 | max-age ≥ 1 year, includeSubDomains, preload |
-| Content-Security-Policy | 30 | presence, no unsafe-inline/eval, no wildcards, form-action set |
+| Content-Security-Policy | 30 | presence, no unsafe-inline/eval, no wildcards, form-action/base-uri/object-src fallback set |
| X-Frame-Options | 15 | DENY or SAMEORIGIN (or CSP frame-ancestors) |
| X-Content-Type-Options | 10 | nosniff |
| Referrer-Policy | 10 | strict values only |
diff --git a/src/rules.ts b/src/rules.ts
index 779cf09..009c433 100644
--- a/src/rules.ts
+++ b/src/rules.ts
@@ -138,6 +138,16 @@ export function checkCSP(headers: RawHeaders): HeaderFinding {
findings.push("No base-uri directive — injection can redirect relative nonce sources (base-uri does not inherit from default-src)");
recommendations.push("Add base-uri 'self' or base-uri 'none' to prevent injection");
}
+ // object-src DOES inherit from default-src, but only when default-src is
+ // actually set. If neither is present,