CSPs are typically deployed to any of these locations via a CDN (such as Akamai), an A/B provider (such as Sitespect), or on the server-side. Server-side deployment with Apache typically involves adding the CSP code to the httpd.conf in your VirtualHost or an .htaccess file. Server-side deployment with Nginix typically involves adding the header code to your server {} block.
Meta Tag
Pros
- No limit on the size of the CSP. This can be huge depending on the number of domains that your site needs to allow.
Cons
- Does not support the “frame-ancestors” or “report-uri” directive.
- Report only mode is not supported in this implementation and the entire CSP will be ignored if you use this.
- Urgent-loading of scripts or stylesheets (preload or push implementation) will bypass the CSP entirely and load regardless.
- CSP must be added to the head tag before any script or link tags. This can be a strain operationally depending on your setup.
Response Header
Pros
- Can be easier on the operational workflow, depending on the setup
- Depending on the setup, can be easier to update the CSP in the future
- HTTP headers take priority over meta tag elements
- HTTP headers are more easily stored in the cache (whihch can be a disadvantage in some instances, especially if you are trying to implement front end optimizations as well)
Cons
- Depending on how long the CSP is, header size limits can be an issue (header size limits acan be imposed by both a CDN or the browser).
- Entirely unrelated elements like cookies can contribute to this header size limit.
- Headers are not usually compressed (except HTTP2 which supports header compression).
Both Meta Tag and Response Header
Pros
- Combines the best of both approaches above
- Supports both “frame-ancestors” directive in the header, as well as a large CSP using the meta tag
Cons
- The header portion of the CSP is still subject to header size limits.
- This is the most operationally complex.
- The list of domains wilmust be identical between the two. The header list of domains takes priority over the meta tag, but this can be extremely confusing.