Despite how important content security policies are, it’s shocking how many websites don’t have them. In this article, we’ll be going over what a content security policy is, how to check whether or not you have one, and what can be done if you don’t have one.

What is a Content Security Policy?

A content security policy tells the server what content to either allow or block on a website. It’s purpose is to block all content originating from a source other than the domain name or approved sub-domains of that website. If a website uses content from trusted third-parties, than those third-party websites can be added to the content security policy's whitelist as well.

Content security policies are very important because they help seal up any potential points of entry that a hacker may try to exploit. Hackers will often try to attach malicious scripts to a website, but a content security policy greatly mitigates this risk.

How to Check If Your Website Has One

Checking to see whether or not your website has a content security policy is very straight-forward and easy to do. Simply head over to Observatory Mozilla, and type your website into the search bar. After either a few seconds or a few minutes, the results should be in. At the top of the page you’ll see “Scan Summary”, and below it will be “Test Scores”. At this time, we need only concern ourselves with the first item on this list, which should be “Content Security Policy”. If you got a green check, then congrats, your website has a CSP! If you instead got a red x, then unfortunately, your website doesn’t have one.

How to Implement a CSP

CSP’s may sound complex and cumbersome, but are in reality not too much of a headache to implement. If you had a developer build your website for you, then simply let them know and they should be able to fix the problem, even if it’s their first time hearing about it. If you built your website using WordPress, then you should be able to find a plugin that will generate a CSP for you. However, if your website was built using a proprietary website builder like Squarespace or Wix, then you’ll either have to search online or contact them directly for an answer.

Closing Thoughts

As always, whenever discussing web security, it’s wise to not panic and maintain a healthy perspective. Just because a website doesn’t have a CSP, doesn’t mean that it’s for sure going to get hacked. But, is it worth the risk? This is why at Random Forest Web, we don’t roll the dice with our clients’ websites. Every website comes guaranteed with a CSP, because we want our clients’ websites to be as safe as humanely possible. If you’d care to learn more, please feel free to reach out to us.

Thank you for reading.