Content Security Policy (CSP) in 10 Minutes — A Practical Guide for Omaha SMBs
CSP is the single most effective defense against XSS attacks on your website — but it has a reputation for being hard to configure. Here's the simple version.
If our Vulnerability Scanner flagged your site for a missing or weak Content Security Policy, you're looking at the most powerful XSS defense the modern web has — and one of the most under-deployed because of its reputation for being complicated. Here's the practical, get-it-done version.
What CSP Actually Does
Content Security Policy is an HTTP response header your server sends with every page. It tells the browser: "Here's a strict whitelist of where scripts, styles, images, and other resources are allowed to load from. Block everything else."
If an attacker manages to inject malicious JavaScript into your site (via a comment form, search box, or compromised plugin), CSP refuses to execute it because the attacker's script doesn't come from a whitelisted source.
This is the difference between a contained vulnerability (someone can submit weird input but nothing bad happens) and a full-blown account takeover (their input runs as JavaScript and steals every visitor's session cookie).
The Minimum Viable CSP for a Marketing Site
For most Omaha small business websites, this CSP is a great starting point:
Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://www.google-analytics.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self';
What this does:
- Only your own domain can serve scripts (plus Google Analytics)
- Inline styles allowed (most sites need this — yes, it's a tradeoff)
- Images can come from anywhere over HTTPS (so embedded screenshots still work)
- Your site cannot be embedded in someone else's iframe (clickjacking defense)
The Two-Step Rollout (Don't Skip This)
Going straight to enforcement will break your site. Here's the safe rollout:
Step 1: Report-Only Mode
Send the header as Content-Security-Policy-Report-Only instead of Content-Security-Policy. The browser logs violations to its console (and optionally to a reporting endpoint) but doesn't block anything. Run this for 1–2 weeks and check the console on every major page.
Step 2: Fix the Violations, Then Enforce
You'll usually find violations like "Hotjar tracking script blocked" or "Mailchimp signup widget blocked." Add those domains to your script-src and connect-src. Once your console is quiet, switch to enforcement mode.
Common CSP Mistakes
1. Using 'unsafe-inline' on script-src
This single setting essentially defeats the purpose of CSP. If you have inline event handlers (<button onclick="...">) or inline <script> blocks, refactor them to external files first.
2. Wildcarding everything to make errors stop
script-src * defeats CSP. So does script-src http:. The whole point is to be specific.
3. Forgetting about your CDN
If you load assets from cdn.yourcompany.com, that domain needs to be in your CSP. Same for fonts, embedded videos, and chat widgets.
4. Setting it once and forgetting
Every time marketing adds a new tracking pixel or chat widget, the CSP needs to be updated. Build a quick checklist: "Adding a new third-party script? Update the CSP."
WordPress, Shopify, and Wix
If you're on a hosted platform, you usually can't set raw HTTP headers. Workarounds:
- WordPress: Use a header plugin like "HTTP Headers" or configure at the hosting layer (Cloudflare, your host's dashboard).
- Shopify: CSP is set by Shopify and can't be customized on most plans. Shopify Plus offers more control.
- Wix: No CSP customization. This is one reason Wix sites tend to score lower on our scanner.
If you're hitting platform limits, putting Cloudflare in front of your site and using their "Transform Rules" or "Workers" to inject headers is the typical escape hatch.
How to Test Your CSP
- Re-run our free Vulnerability Scanner — we grade CSP quality, not just presence
- Use the Chrome DevTools console while clicking around your site — any blocked resources will log there
- Check observatory.mozilla.org for an in-depth CSP audit
Get Help
CSP is one of those things that's easy to half-implement (which gives you false confidence) and hard to get right. If you'd rather have an Omaha team configure it properly, DME Computer Services handles CSP rollouts as part of cybersecurity engagements. Call 402-650-8407.
Related reading: