Posts

CSP Examples Cookbook: Copy-Paste Security Headers Content Security Policy (CSP) is still one of the highest-impact browser defenses you can deploy in 2026. A good CSP reduces XSS risk, limits third-party script abuse, narrows data exfiltration paths, and makes supply-chain mistakes less catastrophic. The hard part is not the syntax. The hard part is shipping a policy that matches your stack. This cookbook gives you complete, copy-paste-ready CSP examples for common servers, frameworks, hosting platforms, and integrations. Each example is short, practical, and designed to be adapted with minimal changes. ...

A-Frame is a nice way to get WebXR scenes on the screen fast. You can ship VR or AR in a few tags, sprinkle in components, and call it a day. Then CSP shows up and breaks half the experience. I’ve seen this a lot: the app works locally, works in a relaxed staging setup, then production adds a real Content Security Policy and suddenly textures stop loading, inline components fail, analytics goes dark, and WebSocket features quietly die. ...

If you’ve ever tried to lock down a frontend with Content Security Policy and then dropped in Fabric UI, you already know the pattern: the CSP gets stricter, the UI gets weird, and somebody says “just add unsafe-inline” like that doesn’t defeat half the point. Fabric UI sits in an awkward spot for CSP. Some parts play nicely enough. Other parts push you toward looser policies, especially around styles. If your goal is a hardened CSP without turning your app into a pile of exceptions, you need to know where Fabric UI helps and where it fights you. ...

D3.js v7 is pretty friendly to Content Security Policy compared to older frontend stacks. It does not need eval, it does not inject mystery scripts, and it mostly sticks to normal DOM APIs. That’s the good news. The bad news is that D3 usually lives inside apps that do all the annoying CSP-breaking stuff around it: inline bootstrapping, dynamic data loading, CSS in <style> blocks, analytics tags, and third-party embeds. So the trick is not “make D3 work.” The trick is “make D3 work without punching a giant hole in your policy.” ...

NeoMagic.css is the kind of CSS framework people pick because they want speed, tiny bundles, and fewer moving parts. Good call. But once you start shipping a real app with analytics, fonts, icons, and maybe a little JavaScript sugar, your CSP usually turns into a weird mix of good intentions and emergency exceptions. I’ve seen this a lot: the app starts with a nice strict policy, then somebody adds a tag manager, then a consent banner, then inline styles sneak in, and now style-src 'unsafe-inline' is hanging around forever like a bad temporary fix. ...

Phosphor Icons are easy to love: clean set, multiple weights, works fine in React, and the SVG output is usually painless. The annoying part starts when you lock down Content Security Policy and realize your icon strategy has security consequences. I’ve run into this a lot. Teams pick an icon package early, then add CSP later, and suddenly a harmless-looking icon library turns into a debate about style-src, font-src, inline SVG, third-party CDNs, and whether someone really needs a runtime script to paint a caret. ...

Loom embeds look simple: paste an iframe, ship it, move on. Then CSP blocks it, the video area goes blank, and somebody “fixes” it by slapping https: into frame-src or loosening half the policy. I’ve seen this happen more than once. Loom is exactly the kind of third-party embed that exposes weak CSP habits: developers guess at directives, over-allow sources, or forget that an iframe usually pulls in more than one origin. ...

I’ve seen this exact failure more than once: marketing drops in a Stripe pricing table, everything looks fine locally, then production CSP quietly blocks it and the page ships half-broken. The annoying part is that Stripe’s pricing table is simple to embed, but CSP rarely is. If your site already has Google Tag Manager, analytics, consent tooling, and a reasonably locked-down policy, adding one more third-party script can turn into a guessing game fast. ...

Adobe Typekit — now usually called Adobe Fonts — is one of those services that looks simple until CSP enters the room. You paste the embed code, the fonts load, everyone is happy. Then you lock down your site with Content Security Policy and suddenly your typography falls back to Arial. I’ve had this break in production more than once. The annoying part is that Typekit needs more than one CSP directive, and the exact domains matter. If you only allow scripts, the stylesheet gets blocked. If you allow styles but forget fonts, the CSS loads and the fonts still fail. Classic. ...

Wistia embeds are one of those cases where a clean Content Security Policy gets messy fast. You start with a tight policy, add one video, and suddenly you’re dealing with frame-src, script-src, img-src, connect-src, media delivery, analytics, and a player that wants to talk to a handful of subdomains. If your site already runs a strict CSP, Wistia can feel like the one integration that pressures you into punching holes everywhere. ...