Whether you have a simple WordPress blog or a highly-customized Magento Ecommerce site, security should always be a top concern. We have discussed various security tactics previously, but a recent development that has made a big impact in the web security world deserves further attention: Content Security Policies (CSP).
What is a Content Security Policy?
In addition to domains and locations, a CSP can specify if inline styles and scripts are allowed or if those resources can only be served from separate files. Since this is a relatively new and evolving technique increasingly sophisticated methods of content security are being introduced.
What is the advantage of using a Content Security Policy on my site?
This can be applied to simple blogging sites as well. Another typical hack could involve altering all links on a site to go to some third party site for malicious reasons. A CSP specifying the allowed domains for links would not allow the hacked links to go to the malicious third party domain.
What are possible disadvantages to a Content Security Policy?
How do I set up a Content Security Policy on my site?
While there are certain WordPress plugins that can add CSPs to a WordPress site, we’ve found those to not work very well and are not nearly as secure as having a qualified developer set one up at the server level. It definitely requires testing to make sure all legitimate assets are loading correctly and no site functionality is lost.
Despite the additional overhead a CSP may incur, it is a very useful security tool that is increasingly becoming standard practice. That additional work on your site may prove to be very important some day.