Content Security Policy Hidden Benefits

Can CSP really keep my website safe?

Yes, it is true, by enabling Content Security Policy (CSP) your website will add a security layer that would help prevent Cross Site Scripting (XSS) and data injection attacks. This also has lots of hidden perks that your company could benefit from.

Reliable browsers are just like banks when you buy a property. If you apply to take out a loan to buy a house, the bank is responsible for analysing the house, establishing the real market price and investigating the seller or the constructor to make sure it’s a safe deal. Only then, after everything is fine, the loan will be granted.

“Aww! The bank cares about me!” You might be thinking. However, be mindful that the bank is only looking out for their own interests. Basically, in the event you can't pay your loan, the bank will get to own your house. As such, their mission is to avoid owning a property that has a lower value than the actual market price so they can eventually sell it and recover their investment.

Similarly, browsers and CSP properly enable work for you. They help your website and your company stay out of trouble. Here are a few ways CSP can help you:

  1. Cleaning up your website’s HTML code - while a little bit of inline style is accepted nowadays for the site to look better as the page loads, it forces your coders to avoid adding inline html and inline javascript as they please. This will also speed up the loading times for your web pages.
  2. Enabling your developers to use javascript code which is more resilient when faced with attacks.
  3. Improving your website in terms of GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) compliance. Why? Easy. CSP implies whitelisting all the javascript code snippets your website executes. While doing that you can learn more about the third party tools you typically use. Example:

You could discover that a service you explicitly disabled from tracking actually sends the data to a 4th party. This may or may not track your users’ activity, violating your website’s GDPR Policy without your knowledge and without your users’ actual consent. As such, CSP can act like a GDPR audit for the front end of your website.

Another big benefit is that you will get familiarized with all the scripts your website uses to communicate with other hosts. This will help you paint a clearer picture of what scripts to remove, what scripts to trust and you will know exactly which ones will face some restrictions in order for your company to be safe when it comes to these new regulations.

If you consider using CSP for your website, I applaud your decision. However, be prepared to change a few habits that you would have never considered harmful before. Be prepared to decide which of your website’s third party code snippets will get whitelisted, will change functionality in order to become compliant or simply go away.

About Us

Upward International specializes in CSP along with others like building custom Drupal websites from scratch, CRM integrations and more.

Shoot us a message about your project! We're confident that we can be the ideal partner in the interactive world.