The Content-Security-Policy (CSP) is an HTTP response header that adds a critical layer of security to your website. It helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection. A missing Content-Security-Policy header means your site is not using this modern security standard, leaving it more vulnerable to attacks that could compromise your data and your users’ trust.

Think of a CSP as a whitelist for your website. It tells the browser which sources of content (like scripts, styles, and images) are approved and should be allowed to load. If a malicious script from an untrusted source tries to execute, the CSP will block it. For a broader look at website security, see our guide on the security category.

An illustration of a shield protecting a website, symbolizing the security provided by a CSP header.

The SEO Impact of a Strong Security Posture

While a CSP is not a direct ranking factor, website security is a crucial part of a holistic SEO strategy. As Ahrefs’ guide to website security makes clear, a hacked or compromised site can be severely penalized or removed from search results entirely.

  • User Trust: A secure website builds trust with users, who are more likely to engage and convert.
  • Prevents Hacking: A CSP is a powerful defense against attacks that could deface your site or steal user data, both of which would be devastating for your brand and your rankings.

A Step-by-Step Guide to Implementing a Basic CSP

Implementing a CSP can be complex, and a policy that is too strict can break your site’s functionality. It’s best to start with a basic policy and test it thoroughly. For a deep dive into the technical details, the MDN Web Docs are an excellent resource.

Example: A Basic CSP in `.htaccess`

<IfModule mod_headers.c>
 Header set Content-Security-Policy "default-src 'self';"
</IfModule>

For more on this topic, see our guide on on-page SEO.

Frequently Asked Questions

Does a missing CSP header directly affect my SEO rankings?

Not directly. Google does not use the presence of a CSP header as a direct ranking signal. However, a site that is compromised due to a lack of security can be flagged as unsafe, which would have a devastating impact on your rankings and traffic. Therefore, a CSP is an essential indirect factor for maintaining a healthy site.

What are ‘unsafe-inline’ and ‘unsafe-eval’?

These are values in a CSP that allow the use of inline `<script>` and `<style>` tags (`unsafe-inline`) and the `eval()` function in JavaScript (`unsafe-eval`). While they can make implementation easier, they also reduce the security of your policy. It’s a best practice to avoid them if possible.

How can I check if my site has a CSP header?

You can use your browser’s developer tools (Network tab) to inspect the response headers for your page. Alternatively, a website crawler like Creeper can check for the presence of the Content-Security-Policy header across all pages of your site.

Is your website’s door unlocked? Start your Creeper audit today to check for a Content-Security-Policy header and other security best practices.