the sky floor

What Is a CSP and Do You Need One?

June 25, 2021

CSP stands for Content-Security-Policy. A CSP is a clientside (i.e., web browser) security protocol that works by restricting the types of content and sources that can access your website. Essentially, it is a set of rules that tell services if they can access your website at all, and if they can, what they can do there.

Recently, we helped a client set up a CSP on a website. To have a locked-down, secure CSP, you have to start pretty restricted. We quickly discovered that the website calls way more essential services than we realized on this WordPress website. Effectively this caused multiple website features to cease to function while we honed and tweaked the policy.

In the end, we used a service to help give us some needed feedback and tracking – more on that in a bit. 

The truth is, unless you are in a very security-focused space (or need to control your content with a padlock), I will recommend skipping the CSP at this time. It will add another layer of constant upkeep, mainly if you are used to adding new tools and services to your website frequently based on needs. For example, if you want to add a new plugin to view PDFs, you may find that it will not load properly. Chances are you will forget about the CSP and spend hours hunting down a solution when the real issue is that you blocked all the external resources the PDF viewer needed. 

I think there are more significant risks to security on WordPress, for example, brute force attacks and shared hosting where malicious code can cross folders and installs. 

If you do need a CSP:

I highly recommend Rapid Sec. We ended up using their tool to monitor and track what was trying to access the website. It gives you an excellent interface for allowing or denying resources, and you can publish your policy right from their dashboard with version tracking. 

Sign Up to Get Our Latest Posts Tuesdays and Thursdays

No Spam, Period. Just the latest posts.

Without this tracking, we would have been guessing about many policy declarations and their impact. Instead, we quickly iterated the policy to allow all required scripts and resources while seeing everything it was effectively blocking. 

Rapid Sec offers integrations via content management systems like WordPress and Magento and server-side integrations via Apache and NGINX. 

They offer a free tier for personal sites with a backlink, or you can get five projects for just $19/mo at the time of writing. 

Unless you have a particular need on your website or have a high profile, I recommend avoiding the content security policy for now. But if you would like one, Rapid Sec will make adding and managing it a breeze compared with the manual alternative.