trezy
commented
3 years ago That's a great question! The short answer is no, you do not need CSP on any site but CSP still provides value to every site that uses it.
While your site itself may be completely static, access from your domain name still has value to attackers. Some things that attackers can do with XSS on your site:
- Inflate/ruin your Google Analytics
- Completely replace your page content with something different
- This could be defacement, or it could be much more malicious like a fake Google login form to steal a user's Google credentials
With this in mind, it's probably a good idea to use CSP on your static content just to protect your users.
kamal-choudhary
Hi, thank you so much for the useful package.
I have a static blog website built using Next.js and Strapi headless CMS.
I recently came to know about the Content Security Policy.
But having really a hard time understanding it thoroughly.
I was reading articles about it online and some of them say that it is not required for a static website.
https://csp.withgoogle.com/docs/why-csp.html
https://reesmorris.co.uk/blog/implementing-proper-csp-nextjs-styled-components
My website is an SSG (automatically generated static HTML +JSON).
The only place where the server is involved is the sitemap.xml file which is handled by (pages/api/sitemap.js). I can't generate it statically because of dynamic URLs coming from Strapi.
I have a cookie consent banner on the website and that is the only cookie I think besides Google Analytics & TruConversion Heatmap cookies. (If this is relevant)
I am planning to have a "contact" page on my website in the future and it will contain the contact form. Probably, the only place where users may input data.
I'll be very thankful to you if you suggest to me that whether I actually need a CSP or not.