I’ve been doing some work on CSP’s to make sure my Observatory scores are nice and high. These are pretty basic notes but the documentation is weird for this and it took me longer than it should have.

There’s a couple things more than the MDN docs I’ve learnt along the way. As a bunch of this doesn’t seem to be easily found together in documentation.


Start with the gatsby-plugin-csp but then also add the gatsby-plugin-netlify

The way Gatsby deals with images there is no way to get inlines out of the CSP


Theres a little problem here with having inline scripts makes the CSP considerably weaker but that’s also how the editor works so I’ve been adding what I can to the .htaccess file and then some more through the meta tag in the themes header.php file

.htaccess file

The CSP needs to be wrapped in this if statement

<IfModule mod_headers.c>
    Content-Security-Policy "default-src 'self';

multi line blocks need line breaks with slashes like these that are not needed in the meta tag

Header set Content-Security-Policy: "default-src 'self'; \
style-src 'self' 'unsafe-inline'; \
font-src 'self' ;"


When dealing with a theme using jetpack theres an inline script on every page that’s easy to grab and throw the hash into the script-src on either Edge or Chrome writing it out for you in the console.


In the .htaccess file add the line

report-uri /csp-violation-report-endpoint.php

This is referencing the root of the site beside the .htaccess file I’ve been adapting on the file here