If you’re reading this then there’s a very good chance one of the following is true:
- You’ve just had a security scan done on your website and the IT company responsible has flagged this as a concern.
- You’ve just run a lighthouse scan on your website and the lack of Content Security Policy has been highlighted.
- You’re also trying to work this out because you’re a web developer who keeps getting asked to implement CSP’s on client websites.
If this isn’t the case, the remainder of this post will likely be of little use or interest to you. Want to keep reading anyway? Don’t say I didn’t warn you…
The Background
For those not in the know, a Content Security Policy (CSP) is a set of rules which will tell the browser whether or not to load “content” from different places. Now this is content in the sense of absolutely anything – rather than just the text, images and videos which appear on your website. If there’s a bit of tracking code on your website (think Google Analytics) or a font loaded externally, or pretty much anything else that loads onto / does something with your website – this all comes under the umbrella term of “content”. Without a CSP you are saying that anything from anywhere is allowed to run on your website no matter what the source or intent, and with a CSP you can narrow that down to specific sources and specific pieces of content.
Content Security Policies first became a thing in around 2012, with some work being done on them before and some updates being made to how they work since. However less than 10% of the top one million websites actually use them – so why aren’t people using them more widely and is it something that you should be concerned about?
Digging a Bit Deeper
So as we covered off above – a CSP will stop your website loading content from external sources, but what does that actually mean for you? Well, if you look it up, you’ll find a lot of articles which talk about how it will protect your website from Cross Site Scripting (XSS) attacks – “BUT WHAT DOES THAT MEAN” I hear you ask. It sounds impressive sure, but what is a XSS attack in reality?
An XSS attack is when a hacker gets a malicious piece of code to run on your website. The most common way they might do this is to put a bit of code into a search box or a comment form, so when the web page displays that information it will try and run the code. For example if you were on https://whatever.com and try to search for something it will probably change the url to https://whatever.com/?q=something and the word something would display in the search box at the top of the page. Now if you were to change that into a piece of code, something like https://whatever.com/?q=”<script>alert(“Im-up-to-no-good”)</script>” then you could in theory run that piece of code on someone else’s website.
Now, this sounds scary – but I can almost 100% guarantee you that if you were to try this on any website in the world, all that would happen would be in the search box at the top of the page you would see the text &:quot;&;lt;script&;gt;alert(“Im-up-to-no-good”)&;lt;/script&:gt;&:quot; and absolutely nothing would happen to the website. Go on, try it.
This is because developers worked out this was a problem closer to 30 years ago and put systems in place to prevent this from happening. It allows us to turn anything that looks like code into completely safe and innocent text that will have no effect on the website’s workings.
Oh Great, So I Don’t Need One Then?
Well, notice above how I said I can almost 100% guarantee I could also almost 100% guarantee you, you won’t slip on a banana today, we can never be too sure. If you had the option of making sure that you absolutely had no possible way of slipping on a banana skin – you’d likely be interested in finding out how to go about it. Breaking away from the banana skin analogy now, there’s always going to be the 1% chance that there’s a security vulnerability in your site and a hacker might find a way to exploit that. By having a CSP in place you are essentially doubling down on security and making sure that if someone finds the weakness there’s a secondary line of defence to help you out.
Hang On, So I Do Need One?
I think this is where we get to the crux of the issue – it really depends in all honesty. See a WordPress website will traditionally be built using an assortment of plugins, all of which will load code, images and other bits from around the internet. If you are using less plugins (which is generally considered better practise anyway) then the amount of effort involved in creating a CSP will actually be fairly minimal so it’s probably worthwhile putting one in place. If you do have a lot of plugins and rely on a lot of external services, then the amount of effort involved would probably be too high for it to really be worthwhile trying. Ironically though, it’s these people who have a large amount of plugins and complex setups that would really benefit from having a policy in place.
Also, in the process of doing this research – according to this blog post and others I happened across, a CSP can help with your websites’s SEO efforts. Google will favour websites which are secure over websites which are not – and by having a CSP in place you are giving hints to Google that you are taking security seriously. It’s not going to be more important than good website content, structure, loading times and backlinks – but if you’re in a particularly competitive industry then it might be worth investigating as a potential to bump your position up by one.
JUST TELL ME WHAT TO DO
If you’ve been told by a consultant that you need to get a CSP to comply with some piece of certification – then absolutely yes, you should get a CSP. If you are using so many plugins and scripts that this becomes difficult to do – there’s a good chance you should be using less plugins / scripts anyway.
If you’re concerned with website security in general, then there are plenty of other things I would consider looking at before a Content Security Policy. Making sure you have good password security, have cleared out any old user accounts and keeping themes / plugins / WP core up to date will be far more effective in your security efforts than a CSP on its own.
As always the answer is unfortunately quite complex and nuanced – but if you want some specific guidance around Content Security Policies then feel free to get in touch and I’d be happy to answer any questions you might have.