CSP (Content Security Policy) setup for website

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

CSP (Content Security Policy) setup for website

Medium

from 4 hours to 2 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

CSP (Content Security Policy) Setup for Websites

Content Security Policy — header telling browser where scripts, styles, fonts, images and other resources are allowed to load from. Properly configured CSP makes XSS attacks practically useless: even if attacker injects malicious script, browser blocks it.

Directive Anatomy

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cdn.example.com 'nonce-{RANDOM}';
  style-src 'self' https://fonts.googleapis.com 'unsafe-inline';
  img-src 'self' data: https:;
  font-src 'self' https://fonts.gstatic.com;
  connect-src 'self' https://api.example.com wss://ws.example.com;
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

Key directives:

Directive	Controls
`script-src`	Where JS scripts load from
`style-src`	Where CSS loads from
`img-src`	Image sources
`connect-src`	XHR, fetch, WebSocket
`frame-ancestors`	Who can embed page in iframe
`form-action`	Where forms submit

Nonce-based Approach

'unsafe-inline' for scripts defeats CSP. Instead use nonce — random value generated on server for each request:

// PHP/Laravel
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: script-src 'self' 'nonce-{$nonce}'");

// In template
<script nonce="{{ $nonce }}">
    // this script passes validation
</script>

In Next.js via middleware:

// middleware.ts
import { NextResponse } from 'next/server';
import crypto from 'crypto';

export function middleware(request: Request) {
  const nonce = crypto.randomBytes(16).toString('base64');
  const csp = `script-src 'self' 'nonce-${nonce}'; ...`;

  const response = NextResponse.next();
  response.headers.set('Content-Security-Policy', csp);
  response.headers.set('x-nonce', nonce);
  return response;
}

Report-Only Mode

Before enforcing CSP, run in monitoring mode:

Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report

Browser sends JSON reports of violations without blocking content. Analysis over 1–2 weeks shows which sources need whitelist.

Example report:

{
  "csp-report": {
    "document-uri": "https://example.com/page",
    "violated-directive": "script-src-elem",
    "blocked-uri": "https://evil.com/payload.js",
    "disposition": "report"
  }
}

SPA and CDN Challenges

React/Vue/Angular apps often use eval() or dynamic script generation via webpack. This conflicts with CSP:

Webpack: use devtool: 'source-map' instead of eval, setup TrustedTypes
Google Analytics / GTM: add https://www.google-analytics.com and https://www.googletagmanager.com to script-src and connect-src
Inline styles from JS libraries: use style-src with 'unsafe-inline' only if no alternative, or move to CSS classes

Nginx Configuration

add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; ..." always;

For dynamic nonces better manage header at application level, not Nginx.

Monitoring Violations

Setup endpoint for CSP report collection or use third-party services: Report URI, Sentry (supports CSP reporting). Allows catching legitimate sources forgotten in policy and tracking real XSS attempts.

Common Mistakes

'unsafe-inline' and 'unsafe-eval' in script-src — defeats XSS protection
Wildcard * in default-src — same effect
Missing frame-ancestors — site vulnerable to Clickjacking
Forgetting wss:// in connect-src when using WebSocket

Implementation Timeline

Audit current resource sources: 2–4 hours
Setup Report-Only + data collection: 1–2 weeks
Transition to enforcement with debugging: 3–5 days