the sky floor

Start Now
,

What Is a CSP and Do You Need One?

Do you need a content security police? And if you do, how should you add it to your website?
  • June 2021
  • 3 min read

CSP stands for Content-Security-Policy. A CSP is a clientside (i.e., web browser) security protocol that works by restricting the types of content and sources that can access your website. Essentially, it is a set of rules that tell services if they can access your website at all, and if they can, what they can do there.

Recently, we helped a client set up a CSP on a website. To have a locked-down, secure CSP, you have to start pretty restricted. We quickly discovered that the website calls way more essential services than we realized on this WordPress website. Effectively this caused multiple website features to cease to function while we honed and tweaked the policy.

In the end, we used a service to help give us some needed feedback and tracking – more on that in a bit. 

The truth is, unless you are in a very security-focused space (or need to control your content with a padlock), I will recommend skipping the CSP at this time. It will add another layer of constant upkeep, mainly if you are used to adding new tools and services to your website frequently based on needs. For example, if you want to add a new plugin to view PDFs, you may find that it will not load properly. Chances are you will forget about the CSP and spend hours hunting down a solution when the real issue is that you blocked all the external resources the PDF viewer needed. 

I think there are more significant risks to security on WordPress, for example, brute force attacks and shared hosting where malicious code can cross folders and installs. 

If you do need a CSP:

I highly recommend Rapid Sec. We ended up using their tool to monitor and track what was trying to access the website. It gives you an excellent interface for allowing or denying resources, and you can publish your policy right from their dashboard with version tracking. 

Without this tracking, we would have been guessing about many policy declarations and their impact. Instead, we quickly iterated the policy to allow all required scripts and resources while seeing everything it was effectively blocking. 

Rapid Sec offers integrations via content management systems like WordPress and Magento and server-side integrations via Apache and NGINX. 

They offer a free tier for personal sites with a backlink, or you can get five projects for just $19/mo at the time of writing. 

Unless you have a particular need on your website or have a high profile, I recommend avoiding the content security policy for now. But if you would like one, Rapid Sec will make adding and managing it a breeze compared with the manual alternative. 

Free Worksheet

Before you talk to any agency, answer these 5 questions.

Most website projects go sideways because the foundational thinking never happened. This free worksheet surfaces what you actually need to know — before a dollar is spent.

Start the worksheet →
Never Miss a Post

Get marketing insights and business strategy delivered to your inbox.

Related Reading

Eat More Eggs: What My Neighbor Taught Me About Marketing

  • February 5, 2026

We’re Going on a Business Hunt

  • January 22, 2026

310 Posts Later: Writing to My Future Self

  • January 16, 2026

Browse by Topic

Share this article
LinkedIn
Threads
Facebook
X
Email
A man in a blazer and light blue shirt smiles at the camera, standing in front of an abstract watercolor background with beige and blue tones.

Written by Joel Miller

Joel is one half of The Sky Floor’s leap-day twin founding duo. He writes about marketing strategy, business operations, and the lessons learned from 15+ years of building digital partnerships.

Meet the Twins →
KEEP READING

More from Our Ideas
,

10 Signs Your Relationship With Your Agency Is Toxic

  • February 2021
  • 2 min read
,

Tired of WordPress Login Hack Attempts? Cloudflare is the Best Fix

Cloudflare is an industry leader in website security, but how well does it work on a typical hacking scheme?
  • January 2023
  • 3 min read

How to Capture A Yes or No (And Other Tips for Prospects)

When a prospect is wavering, how can you push them to a definitive answer? Also, we offer a couple of other little tips for communicating with prospects.
  • September 2022
  • 4 min read

Thinking about your digital strategy?

If this resonated with you and you’re wondering how to apply these principles to your own organization, let’s talk.

Start a Conversation