diff --git a/src/rules.ts b/src/rules.ts
index db5d48c..50c344b 100644
--- a/src/rules.ts
+++ b/src/rules.ts
@@ -113,7 +113,7 @@ export function checkCSP(headers: RawHeaders): HeaderFinding {
   // fetch/navigation directive — not just as the first token of default-src/
   // script-src. img-src/style-src/font-src/media-src are intentionally omitted
   // as a wildcard there is low-risk and commonly legitimate.
-  const wildcardDirectives = ['default-src', 'script-src', 'connect-src', 'form-action', 'frame-src', 'worker-src'];
+  const wildcardDirectives = ['default-src', 'script-src', 'object-src', 'connect-src', 'form-action', 'frame-src', 'worker-src'];
   const wildcarded = wildcardDirectives.filter(d => {
     const sources = extractCspDirective(raw, d);
     return sources !== undefined && sources.includes('*');
diff --git a/test/analyzer.test.ts b/test/analyzer.test.ts
index da35ca9..787a674 100644
--- a/test/analyzer.test.ts
+++ b/test/analyzer.test.ts
@@ -181,6 +181,11 @@ describe('checkCSP', () => {
     expect(r.score).toBe(13);
   });
 
+  it('detects wildcard in object-src', () => {
+    const r = checkCSP({ 'content-security-policy': "default-src 'self'; script-src 'self'; object-src *; form-action 'self'" });
+    expect(r.findings.some(f => /Wildcard.*object-src/i.test(f))).toBe(true);
+  });
+
   it('detects wildcard in form-action', () => {
     const r = checkCSP({ 'content-security-policy': "default-src 'self'; form-action *" });
     expect(r.findings.some(f => /Wildcard.*form-action/i.test(f))).toBe(true);