Skip to content

Content Security Policy

Recommended for all Webtricity websites

Sign up now

Content Security Policy (CSP)

A Content Security Policy is a security feature that helps protect a website from attacks like Cross-Site Scripting (XSS) and content injection by controlling which resources (like images, styles, and JavaScript code) browsers are allowed to load.

It works by defining rules that restrict the types of resources that are allowed, as well as where they come from, which reduces the risk of malicious code execution.

If you don't currently have a CSP, it doesn't mean your website is insecure. It just means your website could be more secure than it is now.

Webtricity already has many layers of security in place, and we encourage customers to maximize their protection by utilizing these layers, such as by requiring multi-factor authentication when signing in.

However, as your website provider, it's impossible for us to control every aspect of content management for your website, and that's why a layered approach that includes a CSP is recommended.

It's Like Cheese

A website content security policy is another layer in the "Swiss cheese" model of protection, along with SSL, HSTS, 2FA, encryption & even the locks on your office door.

Additional Security Features:

HEY Banyan Theory customers!
CSP + New Website = Big Savings

Sign up for a FREE website redesign & get your CSP setup for FREE.

Ask your account manager about additional discounts!

View Example Websites Schedule a Call Compare Webtricity Plans
Make the Switch & Save

Offer valid on PRO or VIP plan through March 31.

A Common Potential Vulnerability

Google Tag Manager

If you're using the latest version of Google Analytics on your website, then Google Tag Manager (GTM) is also probably present.

Google Tag Manager allows organizations to quickly and easily add marketing and tracking scripts to a website without having to change the website's code or involve their IT department or web developers.

However, this means that anyone that has access to the Google account(s) with permission to manage the GTM property can add JavaScript code to your website without your (or our) knowledge.

Even if no such Google Accounts are compromised, it's still possible for a user to use GTM to unwittingly place malicious code on your website if they fall victim to a targeted phishing or social engineering attack.

Illustration of how CSP is like a bouncer at the door of a nightclub

With a strict CSP in place, new code added using GTM would be blocked unless you request that we update your CSP to allow it.

The elevated risk from using GoogleTag Manager is mitigated with a strict Content Security Policy.

Did you know there are alternatives to Google Analytics? Check out Plausible for an excellent website analytics package that's affordable and user-friendly.

Do You Need a Content Security Policy?

Use this checklist to evaluate your risk and find out whether you should add a CSP.

Content Security Policy Pricing

$199 setup + $25/mo
CSPs are available on MIX, PRO, & VIP plans

But would you rather pay $0 for setup?

Switch your current website from LightRail to Webtricity (and get a fresh new site in the process) and we'll waive your CSP setup fee.

Offer valid on PRO or VIP plan through March 31.

Make the Switch & Save

What's Included?

During the Setup

  • We'll build your content security policy to precisely match the website requirements.
  • We'll review all 3rd-party content utilized by the website, like analytics packages, tracking scripts, reviews, comparative raters, calculators, and live chat.
  • We'll identify allowed resources so that your website functionality is not interrupted with the addition of the CSP.

Ongoing Management

  • After your CSP is activated, we'll monitor for any CSP violations.
  • If we determine there have been any CSP violations, we'll investigate the cause.
  • We'll contact you if there's a question of whether the blocked content should be allowed and will update your CSP accordingly.
Add a Content Security Policy Add a Content Security Policy

Content Security Policies & Your Insurance

We are seeing increasing numbers of agency E&O renewals accompanied by in-depth security audits. As part of these wide-ranging audits, some carriers are recommending or requiring that the agency website be updated to include a strict Content Security Policy, similar to the SSL requirement a few years ago.

Increasingly these security audits detect the presence and strictness of a content security policy and will call out missing or lax policies.

Some E&O carriers may be starting to evaluate the presence and strictness of an agency's CSP in their underwriting and cyber liability risk assessments, including adjusting premiums accordingly.

You can get ahead of your next E&O renewal and security audit by adding a CSP now.

representative security audit documents

CONTENT SECURITY POLICY FAQS

Don't see your question? Send us an email.

If you're familiar with and confident in your understanding of the Content Security Policy specification, then yes, you can author your own CSP and won't have to pay the setup fee.

Unfortunately not, but with good reason. The monthly fee also covers policy violation monitoring and maintenance, necessary when:

  • a policy violation is reported and requires investigation
  • you need to add something to your website that would violate the current CSP, like a new embedded rating engine or a live chat widget
  • there are updates to the CSP spec

The reason we don't offer a way for users to disable or make changes to CSPs is that doing so would defeat part of the purpose of a CSP, which is to disallow new code from being added without your knowledge or permission.

If we did allow users to manage CSPs and an attacker were to gain access to your website account, the attacker could simply disable or modify your CSP to allow their malicious code, rendering the CSP ineffective.

Because all CSP edits are processed by our team, we ensure that each change is manually reviewed for security and legitimacy.

You can verify that the CSP is present by opening your browser's developer tools, loading your website, and looking at the response headers on the initial request.

If there is a header named "content-security-policy" and its value contains "default-src" then a CSP is active on your website.

And if your website looks and functions correctly (i.e., it shows images, the colors look right, the drop-down navigation menus are displaying, etc.), then you'll know that the CSP is working.

Another way to tell is to look at the JavaScript console in your browser's developer tools — if you don't see any red error messages that say "Refused to display/apply/etc." then the website hasn't attempted to do anything that is disallowed by the CSP.

Probably not. We've made adjustments and improvements to our software and the code libraries we use to allow for strict CSPs to be implemented, and we haven't come across anything yet that had to be removed for the CSP.

A CSP is a layer of security that depends on and enhances some of the protections SSL provides (when used properly).

SSL lets you know that the webpage you're viewing wasn't modified by an attacker while in transit.

However, SSL won't protect against these two distinct potential threats:

  1. A website being modified before it's in transit
  2. A website loading scripts from a third party or being modified after it's been delivered to you

A CSP responds to these two threats by telling browsers what types of and from which sources they are allowed to load resources when displaying a website.

It's not insecure, but a CSP makes it more secure. The key is that the CSP is a managed policy, meaning it can't be edited without our involvement (meaning any changes to your CSP will have gone through someone who understands the implications of the changes being made).

If someone somehow finds a way to add something unauthorized to the site — like new JavaScript code, a video, or an iframe from a source that isn't already allowed — the CSP will block those things from being loaded by visitors' browsers, and we'll be notified about the attempt.

There are no downsides to adding additional layers of security to your website.

Even if you drive a really safe car, you always drive the speed limit, you come to a complete stop at stop signs, and you're never distracted while driving, it's still a good idea to wear a seatbelt. All of these things reduce the risk of collisions and injuries, and there's no harm in adding as many layers as possible.

Even if you're very careful with your own accounts, your third-party marketing company may not have strong security policies, or the user with access to your accounts may not adhere to them.

It could be as simple as having an unlocked laptop stolen from a car parked in the gym parking lot, with the browser still logged into your Google Analytics account, meaning the person who stole the laptop now has access to your Google Tag Manager account, giving them a way to add new script tags to your website without your knowledge.

Add a Content Security Policy Add a Content Security Policy

Ready to get started?

No contracts. No coding. No headaches.

Just a beautiful website in way less time.

Try Webtricity for $1