Do you use Content Security Policy with your Hugo site?

I’m using Content Security Policy on my static S3 hosted site to make it more secure. And, admittedly, hopefully get a SEO benefit too. :slight_smile:

But it’s also a pain to maintain; it breaks when I for instance include some JavaScript. Then I have to whitelist resources, but then Google’s CSP Evaluator complains that it isn’t strict enough or that I shouldn’t whitelist because that site “is known to host Angular libraries which allow to bypass this CSP”. :confused:

If it even necessary to use CSP with a static blog? Do you use it? Why?

Quick poll

For those that don’t have time right now, here’s a poll:

  • CSP is always needed, even with static sites
  • CSP is unnecessary for static sites that run on 3rd platforms (i.e., Netlify, S3, Azure blobs)
  • CSP is a good idea for static sites running on web servers (i.e., DigitalOcean)
  • I couldn’t care less about CSP :slightly_smiling_face:

0 voters

Well… It depends… If you have a static website and no DOM content is dynamically created by javascript you included on your site using any dynamic input, there’s no real need for CSP.

If you do modify DOM elements on your site, for instance because you use javascript to personally thank the user of your contact forms, you should still include a proper CSP…

I always use security headers for my WordPress and static website too. The problem is, not all server can support it via yaml or toml. Which file do you use?

Having a static website does not mean that a browser plugin can not change content on the site and inject code from another website. It does not mean that your site can not be loaded in another site via frame. It does not mean that another site can send POST and GET requests to your forms. It does not mean that any website can include your photos into their design. And plenty more.

So. Yeah. CSP is needed in any case.


Thanks everyone for voting and the replies. There are still a lot of possible risks with static websites that I didn’t think of, like browser plugins and the like. Thanks! :slightly_smiling_face:

Time for me to come up with a good CSP policy that works and that matches well with Google’s evaluator. :thinking:

I love - that generator can give you all the items you need and even teaches about new stuff. You can save your setup and re-use it later on. And you can test it with their free account (csp-report-only). I just can say: Do use CSP where ever you publish your website.

I like the way you think! I’m all about maximizing various audit scores for any potential SEO benefit. Obviously for performance and security benefits as well.

CSP headers can be difficult to deal with, depending on the type of site and its use case. For example, with a site that’s being actively marketed, you’re probably going to have a fair degree of third party scripts. Also, if you’re monetizing a site, there’s the potential for TONS of resources being loaded from different domains you might not be able to plan ahead for (ad network stuff, for example).

If it was me, and the site was just a small marketing site with basic third party tracking (Google Analytics / Matomo, maybe a couple other tracking pixels), I’d do this. I’d try to self-host as many scripts as possible (typical jQuery or whatever normal resources you’re using). That way you minimize the number of domains you need to add to CSP headers.

For reference on the subject, I can highly recommend this Security Headers site from Scott Helme in the UK. Nice, concise testing tool for figuring out what headers you can optimize and how.

1 Like