We want a Content Security Policy but don't know where to start.
CSP is powerful but unforgiving: a too-strict policy breaks the site instantly. Always start in report-only mode.
Try this first
- 1List every external domain the site loads: fonts, scripts, iframes, images. Devtools > Network 'Domain' column is your friend.
- 2Build a first CSP in report-only mode: Content-Security-Policy-Report-Only with default-src 'self' and specific exceptions per category.
- 3Send reports to an endpoint (report-uri) or a service like report-uri.com. There you see what would be blocked per page.
- 4Tune iteratively: add domains to the right directives, repeat until reports go quiet. Can take weeks.
- 5Then switch from Content-Security-Policy-Report-Only to Content-Security-Policy. Blocking starts.
- 6Maintenance: every new external service requires a CSP update. Document in your infra runbook why each domain is allowed.
When to bring us in
Marketing-heavy site with many embeds and third-party scripts? CSP is a larger project. Bring in a security engineer or schedule iterations.
See also
- WordPress, plugins and theme have gone 6+ months without updatesOut-of-date WP is the number-one entry for malware. Don't just hit 'update all', back up first.
- Theme update broke the layout or threw a fatal errorThemes overwrite custom CSS on update unless you use a child theme.
- WordPress shows a blank screen after a plugin install or updateWSOD (white screen of death) is usually one crashing plugin. You isolate it.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.