https://takao.blog/en/tags/csp/Recent content in Csp on Commentary of TakaoHugo -- gohugo.ioenCommentary of TakaoSat, 13 Jun 2026 23:11:50 +0900https://takao.blog/en/web/hugo-latest-csp-best-practices-2026/Fri, 05 Jun 2026 00:00:00 +0900https://takao.blog/en/web/hugo-latest-csp-best-practices-2026/<img src="https://takao.blog/img/thumnail.webp" alt="Featured image of post Designing Modern Content Security Policies for Hugo blogs" /><h2 id="why-csp-matters-for-static-sites">Why CSP Matters for Static Sites </h2><p>Static sites built with Hugo are inherently more secure than dynamic applications, but they still execute third-party scripts for analytics, ads, and embeds. A <strong>Content Security Policy (CSP)</strong> protects your visitors from XSS, data injection, and malicious script execution by controlling which resources can load.</p> <h2 id="setting-csp-via-cloudflare-pages">Setting CSP via Cloudflare Pages </h2><p>Cloudflare Pages supports custom <code>_headers</code> files for controlling HTTP response headers:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># static/_headers </span></span><span style="display:flex;"><span>/* </span></span><span style="display:flex;"><span> Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; </span></span></code></pre></div><p>For Hugo, place the <code>_headers</code> file in your <code>static/</code> directory so it gets copied to the output:</p>https://takao.blog/en/web/security-content-security-policy-csp-report-only/Fri, 15 May 2026 00:00:00 +0900https://takao.blog/en/web/security-content-security-policy-csp-report-only/<img src="https://takao.blog/img/thumnail.webp" alt="Featured image of post Testing CSP Rules Safely with Content-Security-Policy-Report-Only" /><h2 id="the-broken-widget-problem">The Broken-Widget Problem </h2><p>Deploying a Content Security Policy is one of the strongest defenses against XSS attacks. But a single misconfigured directive can silently break inline scripts, block CDN resources, or disable analytics. If you apply CSP directly via the <code>Content-Security-Policy</code> header and a critical script gets blocked, your production site breaks—often without an obvious error console notification.</p> <p>This is where <strong>Report-Only mode</strong> saves the day.</p> <h2 id="report-only-vs-enforced-mode">Report-Only vs Enforced Mode </h2><p>CSP supports two headers:</p>https://takao.blog/en/web/security-csp-strict-dynamic-implementation/Sun, 15 Jun 2025 00:00:00 +0900https://takao.blog/en/web/security-csp-strict-dynamic-implementation/<img src="https://takao.blog/img/thumnail.webp" alt="Featured image of post Why and How to Adopt 'strict-dynamic' in CSP" /><h2 id="introduction">Introduction </h2><p>Implementing a <strong>Content Security Policy (CSP)</strong> is a highly effective way to mitigate Cross-Site Scripting (XSS) risks. However, configuring and maintaining the policy can become a major headache.</p> <p>For websites utilizing third-party SDKs (such as Google Tag Manager, analytics beacons, payment widgets, or social sharing buttons), these scripts often dynamically load (inject) additional scripts from nested domains. This forces developers to maintain a long, fragile whitelist of external domains in the <code>script-src</code> directive.</p>