Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does my static website need Content Security Policy? #9

Closed
kamal-choudhary opened this issue Oct 20, 2021 · 2 comments
Closed

Does my static website need Content Security Policy? #9

kamal-choudhary opened this issue Oct 20, 2021 · 2 comments
Labels
type: question Further information is requested

Comments

@kamal-choudhary
Copy link

Hi, thank you so much for the useful package.

I have a static blog website built using Next.js and Strapi headless CMS.

I recently came to know about the Content Security Policy.

But having really a hard time understanding it thoroughly.

I was reading articles about it online and some of them say that it is not required for a static website.

https://csp.withgoogle.com/docs/why-csp.html

https://reesmorris.co.uk/blog/implementing-proper-csp-nextjs-styled-components

My website is an SSG (automatically generated static HTML +JSON).

The only place where the server is involved is the sitemap.xml file which is handled by (pages/api/sitemap.js). I can't generate it statically because of dynamic URLs coming from Strapi.

I have a cookie consent banner on the website and that is the only cookie I think besides Google Analytics & TruConversion Heatmap cookies. (If this is relevant)

I am planning to have a "contact" page on my website in the future and it will contain the contact form. Probably, the only place where users may input data.

I'll be very thankful to you if you suggest to me that whether I actually need a CSP or not.
@kamal-choudhary kamal-choudhary changed the title Does my static website need Content Script Policy? Does my static website need Content Security Policy? Oct 20, 2021
@trezy
Copy link
Owner

trezy commented Oct 21, 2021

That's a great question! The short answer is no, you do not need CSP on any site but CSP still provides value to every site that uses it.

While your site itself may be completely static, access from your domain name still has value to attackers. Some things that attackers can do with XSS on your site:

  • Inflate/ruin your Google Analytics
  • Completely replace your page content with something different
    • This could be defacement, or it could be much more malicious like a fake Google login form to steal a user's Google credentials

With this in mind, it's probably a good idea to use CSP on your static content just to protect your users.

@trezy trezy added the type: question Further information is requested label Oct 21, 2021
@trezy trezy pinned this issue Oct 21, 2021
@kamal-choudhary
Copy link
Author

Hi @trezy,

I'm so sorry for the delayed response.

Yes, I completely agree with you that CSP is needed even if our website is static.

We have actually delayed this thing for now, but when I'll implement it on our website, I'll post my solution here.

So, anybody who comes here for help in the future will be able to get help from it.

Thank you so much for your time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trezy @kamal-choudhary