Came across a site we were working on which used CSP so we thought we would look into this a bit.
So many sites get hijacked by hackers who inject malicious code into your webpages.
This is known as cross site scripting (XSS).
This code can be inserted via out of date plugins or themes (by exploiting security flaws), or comments sections, or any form where a user submits information.
In XSS the browser will then run the malicious code without actually verifying that it is safe or relevant to your site.
Good example of cross site scripting.
In simple terms what a CSP does is tell the browser where it can load code from.
For example, it may say only code from https://yourwebsite.com is allowed, or from https://google.com.
By whitelisting resources you can prepare your browser to only load assets from places you have approved.
Code from any unknown sources or areas you have not approved will get automatically blocked by the browser.
This is a really great feature as it can help reduce the problems usually associated with XSS.
To learn more about CSP here is a great article.
Of course CSP isn’t 100% secure (nothing is) but it can help mitigate attacks on the website.
Many websites we work on these days use WordPress and we have also worked on many WordPress websites which have been hacked.
If you need help with your WordPress website get in touch with us and we can review it and advise how to get it fixed.