Gate

Protect your site with a Content Security Policy

by

Whether you have a simple WordPress blog or a highly-customized Magento Ecommerce site, security should always be a top concern. We have discussed various security tactics previously, but a recent development that has made a big impact in the web security world deserves further attention: Content Security Policies (CSP).

What is a Content Security Policy?

In simple terms, a CSP is a method to instruct browsers what to display on the site in explicit terms. As an example, a website has set its CSP to allow only Javascript files from itself and google.com will reject any Javscript files hosted elsewhere. Similarly, this can be done for all sorts of assets on the sites like images, fonts, styles, and a number of other resources. A full list can be found here and other places.

In addition to domains and locations, a CSP can specify if inline styles and scripts are allowed or if those resources can only be served from separate files. Since this is a relatively new and evolving technique increasingly sophisticated methods of content security are being introduced.

What is the advantage of using a Content Security Policy on my site?

The primary advantage of using a Content Security Policy is its very solid protection against malicious content introduced into a site. For example, a very widespread Magento hack known as Magecart adds a Javascript file hosted elsewhere to the Magento checkout page that intercepts credit card details and sends them to a third party site. This can occur if a Magento site is hacked and the hacker has access to the HTML header or footer on the site through the Magento store admin. With a CSP in place that specifies the origin of Javascript files this malicious file will not be loaded and no credit card information can be stolen.

This can be applied to simple blogging sites as well. Another typical hack could involve altering all links on a site to go to some third party site for malicious reasons. A CSP specifying the allowed domains for links would not allow the hacked links to go to the malicious third party domain.

What are possible disadvantages to a Content Security Policy?

While a CSP will undoubtedly make a site more secure, it will also require some extra thought and consideration when working on a site. For example, if a new plugin installed on a WordPress site loads legitimate Javascript files from a domain not specified in the CSP the plugin will likely not work and the site may even crash. Thus when using an active CSP it is even more important to test every new feature on a development site.

How do I set up a Content Security Policy on my site?

While there are certain WordPress plugins that can add CSPs to a WordPress site, we’ve found those to not work very well and are not nearly as secure as having a qualified developer set one up at the server level. It definitely requires testing to make sure all legitimate assets are loading correctly and no site functionality is lost.

Despite the additional overhead a CSP may incur, it is a very useful security tool that is increasingly becoming standard practice. That additional work on your site may prove to be very important some day.

Leave a Comment


Work With Us

We've been building websites for over twenty years, and have learned a thing or two about how to make web projects go smoothly.


What Our Clients Say

Watermelon Web Works, LLC place picture
Watermelon Web Works, LLC
4.7
Based on 19 reviews
powered by Google
review us on
OMS Anita profile picture
OMS Anita
22:20 29 Nov 24
Watermelon Web Works has been incredible to work with. They are patient, understanding, and quick to answer any questions (or emergencies) you might have. After switching over to them to help re-vamp our online retail store, we hired them to build our wholesale website as well. I can't recommend them enough - Thank you team!
Garrett Lister profile picture
Garrett Lister
19:55 10 Jul 24
Jared and the watermelon team were great - they quickly interpreted our website needs and designed a wonderful site. The project management site worked great to keep track of project.
N B profile picture
N B
21:23 14 Nov 23
My previous web developer who I was very happy with retired and I was pretty sad about it because it seems now days it is hard to hire a web developer close by with a good set of skills who is interested in helping small business at reasonable prices. Then I found Watermelon and I have been very happy. They are responsive, are able to solve problems, and work at reasonable prices.
Dark Star Magick profile picture
Dark Star Magick
18:05 03 May 23
We hired Watermelon to help us with our website. They were very thorough and took the time to explain in layman's terms what they were doing and how we could improve SEO and site functionality. We will definitely be back for future website needs!
Astoria Column profile picture
Astoria Column
18:42 24 Apr 23
Great work and amazing service! We're a non-profit, and our priorities are always focused on maintaining the Astoria Column. We had a website built by someone else a few years ago, but without regular updating and maintenance, sections of our site were no longer functional. Joanna and the rest of the team came in and had everything working within a week and it's been smooth sailing since then!
Ben Harris profile picture
Ben Harris
19:25 26 Aug 19
Watermelon has been a fantastic web development partner. Through every phase of our project they have always been 100% responsive to our requests and have always provided highly knowledgeable, creative, prompt, and personable team members to work with. As a financial institution we’re always concerned about the security and maintenance or our website and Watermelon has always provided the appropriate resources in order to meet and/or exceed our compliance and security requirements. We would surely refer them to any business associates looking for a qualified WordPress web designer in the future. – Denali Federal Credit Union
Mohr IP Law Attorneys profile picture
Mohr IP Law Attorneys
00:33 11 Apr 19
Watermelon Web Works did a great job creating a custom shopping cart page for our firm. Gavynn in particular was especially helpful and responsive. We appreciated the upfront costs and the technical competency of Watermelon Web Works and would not hesitate to work with the people there again.
Kim Markle profile picture
Kim Markle
23:36 08 Feb 19
Our company has been working with the Watermelon team for more than 10 years to help build and grow our website and customer portal. They are not only extremely talented and responsive, but are continuously looking for ways for us to enhance our current website. They are consistent, provide excellent customer service and really know what they are doing. Highly recommend!
Rick Brodner profile picture
Rick Brodner
23:23 12 May 17
I cannot say enough good things about Watermelon. They are terrific communicators, highly competent coders, and really, really nice people. They were instrumental in helping us to assemble a very usable, easily maintainable website for our organization. They' have demonstrated great flexibility in accommodating our evolving needs. They have been highly responsive to any technical issues, typically resolving them in less than 4 hours. Watermelon Web Works will make your organization better, and your CFO/Treasurer will be happy when they see the bill - what more can you ask for?
CLOSE

>Locations We Service