User Friction & Site Performance Blog | Blue Triangle

Why Are So Many Major Websites Operating Without a Content Security Policy (CSP)?

Written by Adam Wood | Nov 13, 2023 7:48:18 PM

While browsers have supported Content Security Policies (CSPs) for over a decade, and the benefits of a CSP are well documented, only 7% of Alexa’s top 1 million sites have a valid CSP.

That percentage improves when you look at the top 1,000 most visited sites. But even still, less than a quarter of those sites have adopted a CSP.

If auditing and controlling third-party content is critical for every website, then why do so many companies operate websites unprotected by a CSP?

1. For starters, resource constraints can be a challenge.

With teams and budgets already stretched managing different sites and apps, auditing tags and implementing a CSP could be seen as more of a burden than relief.

Generally, adopting and maintaining a CSP requires time, expertise, and resources.

Many companies may lack the resources necessary to easily develop, implement, and monitor an effective CSP. However, tackling content security manually without an automated CSP Manager eats away worker hours and is a very laborious effort.

2. CSPs are hard to build and maintain.

Mapping out what domains and subdomains have access to your website and what resources they are loading (e.g. JavaScript, CSS, PHP) can be tedious and time-consuming without the right tools.

Even after thoroughly mapping all this out (which typically takes days to weeks), properly coding CSPs is challenging. The vast majority of CSP adoption is missing key data or involves unsafe adoption, which is why only 2% of sites have implemented “perfect” CSPs.

Once built, continuously managing a CSP without an intelligent monitoring software solution is time and resource-intensive, requiring updating with every site release and constantly checking every CSP violation reported in your browser console log. Which is why some sites only partially protect their sites, placing CSPs on shopping cart pages but leaving the rest of the site vulnerable.

3. CSPs are inherently complicated.

CSPs are often considered complicated due to their technical nature and the intricacies involved in defining and implementing them.

It typically requires dozens of lines of code and significant documentation. Specifying the resource types that are authorized to be loaded by domains and subdomains also leaves no room for error.

While all these steps can be done manually, attempting to do so is unnecessary; the answer to most of these problems is using a CSP management solution that can help you automate the process of building and managing your CSP.

4. Most companies have been lucky. So far.

Companies that have not experienced significant security breaches or incidents may underestimate potential threats they face, such as Magecart attacks, and overestimate their current security measures, believing they are adequately protected without CSP.

But unrestricted third-party content can lead to serious problems for your business and customers.

High-profile stories from British Airways, Newegg, and Ticketmaster are just a few examples of the cost of operating without a CSP.

So whether caused by fraud (bad actors) or by error (bad oversights), failure to actively manage your online properties with a CSP opens your site to costly slowdowns and brand reputation damage.

It’s not just about security and compliance risk, but fully owning the content, services, and experiences presented to your customers.

5. Lastly, there are other myths surrounding CSP.

Misconceptions about CSP, such as the belief that it is only necessary for high-risk applications, may deter companies from exploring CSPs. But it’s not just a security measure; it protects against revenue loss and friction impacting customer trust and loyalty.

Implementing a CSP is a proactive step toward safeguarding your web assets, user data, and brand reputation. It’s an essential component of modern web security practices, offering multiple benefits beyond just preventing cross-site scripting (XSS) attacks.

Companies of all sizes and industries can benefit from a well-configured CSP to deliver a secure and frictionless user experience.

Considerations for evaluating a CSP Manager.

A good Content Security Policy (CSP) Manager can simplify identifying third-party content and creating compliant code. But that's not all:

  • It aligns with your security and business requirements to protect your site effectively, with the ability to gain real-time insights into every first and third-party domain loading on your site.
  • Presents an easy way to review and create a whitelist of approved domains, file types, and authorized content contributors. Plus, ongoing monitoring to instantly alert you if an unauthorized user attempts to add a new tag.
  • Automatically generates a comprehensive and accurately coded CSP header and meta-tag for easy deployment. And once deployed, your custom-built CSP continuously blocks unknown or malicious domains from accessing your site.

Watch Nick Paladino, Director of Product Engineering, race against the clock and a barista to deploy a robust CSP while his morning cup of coffee is still scorching hot.

 

Grab a coffee on us and let's have a 15-minute chat about CSP.

Why Major Sites Don’t Have a CSP – and What to Do About It.

Implementing and managing Content Security Policies (CSPs) can be challenging due to resource constraints, technical complexity, and misconceptions. However, companies that neglect CSPs may face security breaches, revenue loss, and customer trust issues. Automating CSP management and using a well-configured CSP can deliver a secure and frictionless user experience while mitigating risks.