Content-Security-Policies CSP

[treelistener]

Hi
I have defined content security policies in .htaccess for one of my Publii websites. So far so good. Some external scripts wont run, but I come stepwise to a solution. Does anyone have any tips or experiences for CSP with Publii in general?

[internettips]

Likewise, some time ago, I too set up a content security policy (CSP) at the end of a .htaccess file -- mainly as a curiosity / testing / learning exercise. When I was jumping through the Google quality / speed / SEO / accessibility testing fun, I think a CSP did help with that.

However, since I think I now know more about what I want, I'm not sure that a CSP is really needed for a Publii site since the Publii static site baseline 'out of the box' is so good anyway. Today, I probably wouldn't bother with a CSP (unless making it work sooner was less hassle :-) My view today is that building a profitable website is more than just getting every single technical detail right, and the Google requirements of course will always keep changing because, in my opinion, Google is primarily an advertising company not a search engine provider. For me, connecting with buyers directly, building relationships, is way more important than the Google dance. Plus, search engines are changing anyway and with AI going on, 2025 might be pivotal.

Yes, a CSP can be a PITA to set up. If you have a plugin web form(s), any tracking (like Google Analytics, etc), commenting, use YouTube and / or Vimeo videos, Slideshare, social media connections, and so on, if you want to use a CSP, you'll need the right CSP code entries for all of those. Sometimes, you may need multiple entries for the same thing in different sections of your CSP.

Having said all that, maybe a CSP plugin for Publii would go a long way to making it an easier process. For those folks who love hands-on code detail stuff, with much patience, you could probably have fun with it.

The following links can help:

https://csp-evaluator.withgoogle.com
https://content-security-policy.com
https://scotthelme.co.uk/content-security-policy-an-introduction/
https://scotthelme.co.uk/csp-cheat-sheet/
https://securityheaders.com

Hope all that helps.

[treelistener]

Thank you very much for your thoughts and tips as well as the collection of links. My question was precisely because I wanted to know more about how others use this and whether at all.

On the one hand, I fully agree with you about CSP, especially since Publli creates static websites. I also share your view that the goal and purpose of a website, especially in the business environment, should not only be presence, but also a return flow of the resources used.
I could imagine using CSP for business use with Publii. This is because Javascripts or SVGs in particular could be used with XSS in a way that you might not want, perhaps. For example, I cannot judge in all parts what the JS used in Publii Themes does in which way and whether it can be used in which way without CSP. Therefore, I see the CSP as a kind of content router that can help control access to your own web elements at server level, similar to router/firewall rules in networks.

I agree that a CSP plugin will be difficult to cover all possible cases and CSP directives (Mozilla CSP description) correctly and sensibly. But I accept CSP as a part of a meaningful content management and holistic system administration. Especially at Publii, where we are less concerned with Apache/Nginx/LiteSpeed/etc. configurations than in other CMS, I see a sensible use of CSP, similar to what I already do with HSTS CSRF, CORP/CORS, referrer policies and so on.

But I don't believe that anyone should be paranoid and set any CSP rules just so you can fiddle around for hours and make your life more difficult.