Performance: Content Security Policy
MEDIUM IMPACT
Content Security Policy (CSP) affects page load speed by controlling which resources the browser can load, impacting render-blocking and resource fetching.
0Content Security Policy in Django - Performance & Optimization
Start learning this pattern below
Jump into concepts and practice - no test required
or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Defining a Content Security Policy in Django to control resource loading
Django
CSP_HEADER = "default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' https://trusted.cdn.com"Restricts resource loading to trusted origins, reducing unnecessary network requests and render-blocking.
📈 Performance GainReduces LCP by limiting resource fetches and blocking malicious scripts early.
Defining a Content Security Policy in Django to control resource loading
Django
CSP_HEADER = "default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'"This overly permissive CSP allows all sources and unsafe inline scripts/styles, causing security risks and no performance benefit.
📉 Performance CostAllows loading of many external resources, increasing render-blocking and LCP delays.
Performance Comparison
| Pattern | DOM Operations | Reflows | Paint Cost | Verdict |
|---|---|---|---|---|
| Permissive CSP allowing all sources | No direct DOM impact | Multiple reflows due to many external resources | High paint cost from many resources | [X] Bad |
| Strict CSP limiting to self and trusted domains | No direct DOM impact | Fewer reflows due to limited resources | Lower paint cost from fewer resources | [OK] Good |
Rendering Pipeline
The browser checks the CSP header before loading resources. It blocks disallowed scripts, styles, or images, reducing unnecessary layout and paint work.
→Resource Fetching
→Style Calculation
→Layout
→Paint
⚠️ BottleneckResource Fetching
Core Web Vital Affected
LCP
Content Security Policy (CSP) affects page load speed by controlling which resources the browser can load, impacting render-blocking and resource fetching.
Optimization Tips
1Use a strict CSP to limit resource loading to trusted domains only.
2Avoid 'unsafe-inline' and 'unsafe-eval' to improve security and performance.
3Test CSP in DevTools Network tab to ensure it blocks unwanted resources without breaking the page.
Performance Quiz - 3 Questions
Test your performance knowledge
How does a strict Content Security Policy affect page load performance?
DevTools: Network
How to check: Open DevTools, go to Network tab, reload page, and filter by blocked requests to see which resources CSP blocks.
What to look for: Look for requests marked as blocked or failed due to CSP; fewer blocked requests indicate a well-configured CSP that balances security and performance.
Practice
1. What is the main purpose of Content Security Policy (CSP) in a Django application?
easy
Solution
Step 1: Understand CSP's role in security
CSP is designed to restrict what content the browser can load, preventing harmful scripts or resources.Step 2: Identify the correct purpose among options
Only To control which external resources can be loaded by the browser describes controlling external resource loading, which matches CSP's function.Final Answer:
To control which external resources can be loaded by the browser -> Option CQuick Check:
CSP purpose = control resource loading [OK]
Hint: CSP controls resource loading to improve security [OK]
Common Mistakes:
- Confusing CSP with performance optimization
- Thinking CSP manages user sessions
- Assuming CSP handles database tasks
2. Which of the following is the correct way to add a CSP header in a Django view?
easy
Solution
Step 1: Recall Django HttpResponse header syntax
In Django, headers are set by assigning to response['Header-Name'].Step 2: Match the correct syntax
response['Content-Security-Policy'] = "default-src 'self'" uses response['Content-Security-Policy'] = "default-src 'self'", which is correct Django syntax.Final Answer:
response['Content-Security-Policy'] = "default-src 'self'" -> Option DQuick Check:
Django header set = response['Header'] = value [OK]
Hint: Use response['Header-Name'] = value to set headers in Django [OK]
Common Mistakes:
- Using JavaScript or Flask header syntax in Django
- Calling non-existent methods like setHeader
- Trying to set headers via response.headers dictionary
3. Given this Django middleware snippet, what CSP header will be sent in the response?
class CSPMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
response['Content-Security-Policy'] = "script-src 'self' https://cdn.example.com"
return responsemedium
Solution
Step 1: Analyze the middleware code
The middleware sets response['Content-Security-Policy'] to "script-src 'self' https://cdn.example.com" before returning the response.Step 2: Determine the header sent
The header sent will exactly match the assigned string in the middleware.Final Answer:
Content-Security-Policy: script-src 'self' https://cdn.example.com -> Option BQuick Check:
Middleware sets CSP header = script-src 'self' https://cdn.example.com [OK]
Hint: Middleware sets header exactly as assigned before returning response [OK]
Common Mistakes:
- Assuming default-src is set instead of script-src
- Thinking header is not set because of missing return
- Confusing middleware with view-level headers
4. You added this CSP header in Django but your inline scripts stopped working:
response['Content-Security-Policy'] = "default-src 'self'"What is the likely cause and fix?
medium
Solution
Step 1: Understand CSP default-src effect on scripts
default-src 'self' blocks inline scripts by default because inline scripts are unsafe.Step 2: Fix by allowing inline scripts explicitly
Adding 'unsafe-inline' to script-src directive allows inline scripts to run.Final Answer:
Inline scripts blocked; add 'unsafe-inline' to script-src directive -> Option AQuick Check:
Inline scripts need 'unsafe-inline' in CSP [OK]
Hint: Add 'unsafe-inline' to allow inline scripts in CSP [OK]
Common Mistakes:
- Removing quotes around 'self' breaks CSP syntax
- Changing 'self' to https://self is invalid
- Assuming inline scripts work without explicit permission
5. You want to allow images from your own site and from https://images.example.com but block all other sources. Which CSP header directive is correct in Django?
hard
Solution
Step 1: Identify directives to allow images only from specific sources
img-src directive controls image sources; 'self' allows own site, plus https://images.example.com.Step 2: Block all other sources by setting default-src to 'none'
default-src 'none' blocks everything else not explicitly allowed.Final Answer:
response['Content-Security-Policy'] = "img-src 'self' https://images.example.com; default-src 'none'" -> Option AQuick Check:
Allow images from self and example.com, block others [OK]
Hint: Use img-src for images and default-src 'none' to block others [OK]
Common Mistakes:
- Using default-src for images allows too many sources
- Using img-src * allows all images, not secure
- Setting img-src 'none' blocks all images