CitrusKiwi's Web Design, Internet & Marketing blog

Get hints and tips about web design, SEO, and things internet. We also discuss online security issues, showcase new client websites and offer hints on marketing and networking.

What's your Content Security Policy?

Perhaps another, better, questions, is, do you have one? Or what IS a Content Security Policy? That's a great questions!

It's a quite complicated series of policies designed to make websites more secure. You can find Wikipedia's explanation on their site. For more reading (if Wikipedia's definition didn't send you to sleep!), you can look at Mozilla's site.

As with many things website related, the average business owner shouldn't be bothered with having to deal with items like this. They SHOULD be the realm of the website designer, done at the build time of the website. That's why we're going through all our clients' sites, for free, and updating their sites with an updated CSP. We're doing it free for 2 reasons. Firstly, all our clients get 12 hours of free time every year for this sort of thing. Secondly, and most importantly, our original deployment didn't provide as robust a security suite as we had thought, so we're doing what any decent business person should do - giving quality service!

So, back to the original question - what's your CSP? If you don't know, you can check it at this site. When you get there, copy and paste in the URL of your site and it'll give you a score. Obviously, an A is what you're aiming to have. Here's a second site that will do a similar test. Again, an A is the goal.

What you need to do about CSP deficiencies? 

Thank you to Scott Adams, the creator of Dilbert, for this wonderful cartoon that illustrates how many companies deal with data breaches. You can see more of Dilbert at Scott's site.

Will scoring an F stop your site working? No, after all, it's been working as an F previously. However, it certainly leaves your site open to attack and compromise.Through an injection of JavaScript or CSS into your site through a comment, a form, an advertisement or a NPM package that's part of your JavaScript build, a hacker can get control of all your users.And anything they enter into your site.

How do I set up my own CSP and where does it go?

Well.... how much time and computer code savvy do you have? When we first became aware of the deficiency, we spent hours reading about CSPs, what they are, how they work, and how to implement them. Then we began writing the CSP. After a few more hours of frustrating failures, we decided against DIY. Fortunately, there was a wonderful plugin available in the Joomla download repository which took all the pain out of the job. With a few simple toggles and switches we took sites from an F to an A. We had mixed luck writing our own after doing website design for 9 years so it's even less likely that Mr Average Businessowner will get the result needed.

However, by all means have a go if you have spare time. Here's a site that will get you started. A better alternative is to ask your website designer to do it for you. If he/she won't or can't, then it may be time to look for a more competent designer. Feel free to contact us and talk about how CitrusKiwi can help you to protect your site.

Font size: +