Ok, I just saw that observe.mozilla.org gives forum.osticket.com 30/100% or points...
Maybe i'm paranoid...
But anyway, if someones got a usefull hint that makes it more secure i would appreciate to implement it.
Thanks to all
Problem Solved (so far).
PS: For others: My CSP looks like this:
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'"
Header set Content-Security-Policy "style-src 'self' 'unsafe-inline'"